[keycloak-user] Federation

Hello, The latest release notes talk about multi tenant enhancements like supporting multiple realms for a single application. Is it possible for a realm to delegate the authentication to a external identity provider like Ping or Okta (using SAML or OpenID Connect) providing some kind of identity federation. One of the requirements for our app is that one or more of out tenants can use their own AD directory for authenticating users into our service. Eventhough keycloak has support for LDAP/AD, I'm not sure if customers will open up their directory for direct connectivity from our cloud service into their on premise AD. Thanks,