How do you centralized your authn, your 2fa provisioning? How do you ensure that your cloud native apps have access to the auth backend without risking exposing the wrong ports on the wrong vpc?

Just adding a library to application code is not sufficient. What I mean is that organizations should not roll their own SSO provider. At the very least, work with one of the many companies that offer it as a product or service. If your threat model requires it, you can host the product on premises.