That sounds pretty much exactly like what I’d like to have! 
I’ve also been playing with Keycloak, and I’ve used it previously at work too (although that was only about 10 employees and only inside the local network, so not an Internet-accessible enterprise use-case) It works pretty well, can be daunting to try and use as an admin but it does a lot of stuff so that’s to be expected.
What are your thoughts, does it seem feasible to have some sort of multiple space shared instance at least of Keycloak? And perhaps also of Discourse. Each space would probably want to have its own Matrix server, to ease the load, but we can of course join ourselves with various shared rooms (as it the point of Matrix and federation). In Discourse, for example, I was anticipating various shared areas where we could all collaborate but then also specific areas per space for internal discussions and documentation which is only accessible to users in a specific group as set by Keycloak.