[Freeipa-users] Adding SAML2 & OIDC

Hello, I'm looking forward to add 2FA, SAML2 & OIDC interfaces to my authentication services running on FreeIPA. Are there any recommended integrations?. I'm thinking about implementing Authelia or Keycloak. My main concern is the first forced password change & following password expirations (should not be able to proceed without changing password and yet be able to change it). Would pretty much prefer "self service" by the end user. Regards, CI.-