Kantega SSO Authenticator (OpenID-Connect) includes a powerful DSL for configuring login rules. Here you can specify how and which users that are sent to which login solutions. The example below shows a setup where users typing in a username with the domain part "@example.com" is redirected to Keycloak for authentication, a user with username "admin" is sent to traditional username / password login. All other users are sent to the fallback login mechanism, which in this example is Keycloak.
The security rules at the bottom of the config page relates to where authentication should trigger. Here, you can setup which pages and urls that should be authorized with OIDC or just passed through.