Running your own AuthN/AuthZ with an off-the-shelf OSS is very straight-forward (as a SaaS product at least) and isn't any more burdensome from a security perspective than what you're already doing for your core service.

This isn't email.

Running Active Directory is as easy as it gets. Protecting the Golden Ticket is not.