I’m at an ISV selling on-prem software bundling with KeyCloak to fairly mature IT shops running Active Directory for thousands of employees.
It seems like the “Microsoft” identity provider gives a much better employee user experience, with way less hassle, than federation with AD and setting up Kerberos for auto-login from the windows desktop/browser. Am I missing something? Does anyone have a sense of the proportion of larger shops that have AD and are sophisticated enough to support Kerberos for apps but not “Microsoft” authentication?