24h SAML for some, regular SAML for others

I have an application where I need to force a 24h reauthentication for some users, and for the rest, another longer value.

I’d rather not give the user the option to select saml or saml24, because those in the special group need to have the saml24 enforced.
LDAP is configured, and I have 2 SAML authorizers configured, saml and saml24

I’d rather have keycloak dynamically create the users at first login, but I’d be ok with keycloak regularly syncing the AD/LDAP users/groups.
I’d rather not have to manually create SAML associations, but rather, use the existing groups in LDAP as the rule to define which SAML is used.
I’d like keycloak to check, on each login, if the user is in the special group or not, in case users move in or out of the special group.

I’m thinking, I can configure Kerberos authentication, so that the initial login flow authenticate based on our local AD, and the initial login flow can add the user to keycloak and link the appropriate SAML, but then what happens if they leave the special group, or they have already been created in keycloak and the join the special group.

Perhaps keycloak is the wrong place to be trying to apply this rule?

Any advice would be appreciated.