@Willo:
@chris4916, I'm wondering if the authentication couldn't be "transparent" by authenticating to either a local user database or AD? So when they browse, it silently authenticates in the background?
This wording is quite confusing especially when topic is proxy. Avoid "transparent authentication" wording, IMHO ;)
This said, technically, yes you can enable SSO (single sign on) at browser level and configure Squid (and your browser) to support Kerberos (because SSO is Kerberos based) but be aware that:
1 - this is an extra level of complexity. Perhaps not the one to start with
2 - Behaviour differs depending on browsers
3 - This works with Squid / Squidguard but I don't know if pfSense packages allows such configuration
4 - last but not least, this means to have Kerberos domain configured (and used). This is often achieved with Windows domain.
I would suggest that you not try to achieve everything from scratch in one shot.
Start with authentication and filter then once this works, you can think about changing your authentication mechanism and move to SSO