thanks for your thoughts on this.
but it would be alright for us to write our own since I guess we will have to have some kind of two-step login page to have company-based password policies?
I don't know what you mean by this :).
What I mean by that is, that if a user wants to log into app.example.com and the company has a password policy or oauth provider which basic app.example.com users don't have (for example SAML), he in some way has to see another login-form than the other users. I'd imagine something like a 2-step login form, where in the first step, you enter your email address and based on that there may be a second step where you get options to log into app.example.com with the providers and policies you are allowed to based on the app2.example.com preferences.