Keycloak login and redirect to legacy username / password based web application


I have an existing web application that authenticates using a username/password form POST with user credentials on the LDAP database.

The new token-based web UI will not be ready soon, and in the interim, we want to use the Keycloak login and, if successful, do a form-based login to the old web application using username/password and redirect.

The purpose is to use the Keycloak features to manage the user account lifecycle from creation, verify login email addresses, and apply password policies.
With user federation, we can access the same LDAP user store.

Can this be achieved without writing an SPI?
If not, then which SPI best suits this kind of authentication flow?

Kind Regards,