Multi domain (a Domain Forest)

Firewall (PA-3050) setting:
• 8 LDAP connections to 8 Domains and Subdomains
• 8 Authentication profiles
• One Authentication sequence with all 8 Authentication profiles in them
• Two Portals, one for the current way and one for the way we want to do it.
• Two Gateways, one for the current way and one for the way we want to do it.
• The gateways have 8 Client authentication in each

We are currently using Global Protect with an “Authentication Profile” for each domain (8 Domains).
We would like to use Duo for the VPN Connections, for user’s that are connecting to their domain. However, one Groups of Users that move from Domain to Domain Using a secure device we assigned to them, we do not want them to use Duo.
Do I need to setup SSO and/or DAC for each domain? If so, do I need to setup SAML for each domain? Has anyone setup a similar configuration?