Best practices integration of SSO saml2

Hi all,
we are currently developing a numerous amount of microservices, of course with the need for an authentication and authorization. We do have 2 potential clients, Browsers and misc. http clients like curl or whatever.
The Browser will do have a kerberos tgt upfront due to his windows login. There should be no need, once authenticated in the beginning and retrieving a token , to do an authentication on the microservices . We need to use SAML2 (ADFS) for authentication and the whole process is a serviceprovider initiated flow.
My question is where to provide , implement the saml part on the microservice (SP) side ? Should i use pac4j ?
Later we would evolve the whole picture with an api gateway , which will also most likely implemented with lagom .
Shall i just configure and invoke a sso method like e.g generateRedirect2IDP in case of org.pac4j inside the impl/SSOBlaBlaServiceImpl implenting my api/SSONBlaBlaService ? or is there a more elegant way annotating the urls to be secured or filters . Is there a play way to do so ?
Sorry for this naive question being pretty rookie on the lagom topic