Yes, this is possible. However, the terminology in your question is not completely correct: your portal application won’t be the identity provider, but AD FS.

What would happen is the following:

• User browses to portal application.
• The portal application redirects to AD FS.
• User authenticates to AD FS, either silently or interactively, using Forms or NTLM or something else, against AD. AD FS is the IP/STS, i.e., the identity provider. This action is the single sign-on. In response AD FS sends back an ‘AD FS cookie’ to the browser.
• AD FS also redirects back to the portal application with a security token.
• The portal application sends its home page to the browser, together with a ‘portal cookie’. As part of this home page it sends the ‘home page’ of application X to the browser.

Now history mostly repeats itself, point for point:

• The browser retrieves the application X home page.
• Application X redirects to AD FS.
• The browser sends the ‘AD FS cookie’ to AD FS, which proves the user’s identity to AD FS. No sign-on occurs at this point.
• AD FS redirects back to application X with a new security token.
• Application X sends its ‘home page’ to the browser, together with an ‘app X cookie’.

When a return visit is made to the portal application, or to application X, then the browser sends the ‘portal cookie’, or the ‘app X cookie’. The application recognizes the cookie, and does not redirect the browser to AD FS anymore. So the conversations with AD FS only happen on application start-up, one for each application.