Alex,
Yes you need UAG (3.8 or later) for 3rd party IDP using SAML and TrueSSO associated with Horizon 7.11 and later even for internal and No, you can't enabling selective tunneling on UAG, as soon as you pass by any UAG then your connection is tunneled and all traffic will pass through it.
Eric