I'd recommend to update to 2016.4. There you'll find the new Identity Server that will enable you to either use your AD credentials or your Service Desk credentials. The users will always be asked for their credentials and they can choose what credentials to use every time they log in. I believe that will help you out.
It is really easy to use, the only catch might be, that you'll need to add new or change all of your existing frameworks to use the identity server. Just take a look at this article: Configuring Workspaces (BridgeIT) and Web Access to use Identity Server Logon Policy .
Have fun and let us know if it works!
As Andreas mentioned, Identity Server will be a good solution in your case, if you can upgrade to 2016.4
However, if you do not wish to upgrade, your best option will be to use STS Token policy.
You can find more info about Token policy set up here
In this Case, It is not posible to upgrade to 2016.4
I'm using webdesk instead of workspace. Do you know how to configure it for WebAccess? Is there any knowledge document? I have found information about how to doit for workspace, nut nothing for WebAccess
it works the same way as with Workspace, just switch your WebAccess framework to token based authentication or add a new WebAccess framework for testing.