Hi,
Since sssd already supports OAuth2, it would be really good to have the possibility to log into a Linux Desktop via OIDC/SAML.
This could make it easy to implement 2FA policies and would be IDP-agnostic.
It doesn’t even have to rely on sssd - there could be an option to match local/directory users based on the received token.