I believe you ask for two things in a single request: You look for general advice designing your solution, and also for a proof if this has been done / if f5 and keycloak inter operate nicely.
I’ll concentrate on the first as I cannot deliver the second
I understand that you say there’s an ldap containing user identities (including passwords), there’s an application (Jira, may be more as you ask for sSo), and you have f5 (I would guess you run Jira on your own server, f5 is secure Reverse proxy for your users accessing it from abroad) and you now want SSO (aka SAML+OIDC) and MFA (for instance TOTP).
Since f5 is capable of doing a lot, in this discussion we only look at its IDP role.
Let’s see the building blocks:
An IDP (keycloak, f5) can usually leverage an existing user base so yes you can feed keycloak from your ldap (as you can do with f5). There should be no user enrollment (aka password reset) be required.
Through the OIDC and SAML Standards both supported by keycloak (and f5) and Jira, you can let the IDP authenticate users and have Jira trust this.
Jira has several options including options to have its own user base mixed with one or more IDPs (via Plugin) - I just mention this since you may have employees and external (guest users) in Jira but not in the same ldap).
Finally yes keycloak allows you to add MFA and it delivers TOTP out of the box and can plug in more options. I believe f5 can do so as well.
If we are still on the same page, you are now closer to a picture where you can compare cost and features. And to make it even more flexible, through federation you can connect f5 and keycloak which stays transparent for the users.
So if all relevant modules are already licensed from f5 and your corporate strategy is that, I would think that you need to validate f5. If you look for an independent, open source solution that you can even modify and extend (or have to) then go for keycloak.
You’ll feel the differences when you test-build the two scenarios next to each other