Yep SSO is a game changer 
. This was actually one of the coming questions from our part, we wondered if you experimented with SSO and bbb. I want to try out this PR for instance https://github.com/bigbluebutton/greenlight/pull/1194 (btw this is something that I like and dislike with bbb, they are quite conservative with PRs or some would say keep their software stable)
We have been using Keycloak for more than 2 year now. It works well. Its a big java software with an old school UI but it does everything and you can configure everything . I probably know only a tiny bit of all its potential.
We use it in a multi-tenant way, each organization/collective has its own realm that they can manage.
I do think that the UI is not really good though. If you want to enable a user to manage its own realm for instance its a bit hard at first for them. You will need to do some training to show them how do it.
One app that I would like to implement at one point is hydra. Tiny go microservices perfectly designed for our kubernetes setup :).
We are sticking to Keycloak for now, because obviously it works well but also because Nextcloud had so far only an integration with SAML (or LDAP) for SSO (now there is a new app for OIDC that is being developed as a core app) and hydra does not provide SAML.
Whats also nice with keycloak is that you can plug it with an ldap directory as a backend (you can have a mix of ldap and postgres for instance). You can also federate ID providers, like we did on https://lab.libreho.st.
A few years back before moving to keycloak we thought about going your way with an ldap directory but most webapps were pretty outdated and we are pretty bad developers so… We also think that even if ldap is pretty solid and well supported, it is also bit old school, not so much web friendly and as we already host postgresql databases in HA, why not having our user based there too