Need help understanding keycloak identity brokering with Amazon Load Balancer (?)

I currently have an AWS ALB connected/proxying to 3 backend tomcat servers.

I was able to use a keycloak java adaptor with tomcat and my ADFS idp to do SAML auth successfully, BUT I do not want to configure a keycloak java adaptor with each tomcat server.

Can I configure my ALB to authenticate via a keycloak identity brokering to my ADFS IDP, before it passes back the request to the backend?