"What do you mean you're reinventing the wheel? Can't you find all of this #FOSS stuff online?" Lol, nope.
Example: #FreeIPA comes with #2FA. Great for web apps, except that it also works on the OS level. So users need an OTP to log into their pc, every time. Annoying! But it gets worse.
Apparently, laptop users can only log in with 2FA when they are on a network. Sssd caching doesn't work with 2FA. So any time users are outside of the office they need wifi to be able to log into their pc. 😓
@Gina I know it is an old post, but SSSD does support offline logon if you logged at least once on the system. See sssd.conf(5), 'cache_credentials' and 'cache_credentials_minimal_first_factor_length' options.