Samba users authenticated with Keycloak

We have a working Keycloak server that we use to authenticate users with Nextcloud and our own web service. That works very well !

Now we would like to extend this authentication service to a local Samba server. I know about the LDAP user federation, but that work the other way around : users are defined within LDAP and then imported within Keycloak. We would like the opposite : keep users centralized within Keycloak and export them to LDAP/Samba.

Maybe SAML would be part of the solution, but I am not sure at all.

Any advice to get me on the good track would be much appreciated !