Your requirement 1. seems to be inconsistent with 2.
Your requirement 3. can be satisfied with PAS the Pluggable Authentication System, which is able to layer multiple authentication services, so you could have one for the internal users (e.g. LDAP or Active Directory) and another user source for "external" users (e.g. non-LDAP Plone user accounts).
You would gave host it outside of your network or the DMZ of your network. In addition to ldap already mentioned, you can use a mix or SAML2 (MS active directory federated services) which means you can host it internally without having a VPN setup for LDAP.
Plone offers the Pluggable Authentication Service - short PAS. A vanilla Plone does offer only a basic set of plugins.
Due to the nature of authentication needs out in the wild it is not possible to cover every use-case out of the box. Also most authentication systems would pull in dependencies like python-saml, authomatic, python-ldap, and so on. This would blow up the complexity of Plone and so we dont do this out of the box.
Because of that there is a bunch of add-ons around plugging into PAS in order to provide the use-case specific needs.
Its also not that difficult to add own plug-ins, given a programmer knows Plone and its PAS.