Windows Active Directory - UCS Kopano as Member

I have an Server 2019 Active Directory in an environment with few users. The environment today has always had a 3rd party hosted email provider. They run “SmarterMail” today and the users connect to their mail accounts with a login that is completely separate from the domain using POP3 over TLS and SMTP over TLS.

It is not secure enough this day and age without support for MFA or a client certificate. The user experience with MFA and a pop3 client is very poor so I’ve eliminated that as a possibility.

I’m looking at taking over the mail internally using a solution that support Exchange Active Sync and client-side certs. Something that I’ve verified UCS Kopano has no problem with previously

My question is mainly around leveraging the existing Active Directory for the user authentication instead of keeping the existing split that exists today.

Is there a clean way to integrate UCS Kopano with the existing AD users so users can use their AD username and password when they login to webmail and Kopano Meets internally, etc?

I’m not necessarily only talking about LDAP - open to SAML2 or OpenID or other approaches as well.

I’d like to understand the technical implementation details needed to allow AD user “john” to login to webmail using his “john” account and password in AD. Bonus points for doing things like reading the user email addresses out of the directory, etc.

Some how-to articles that dive in deeply enough that I can understand what I have to do on the AD, during setup on UCS, after setup on UCS, etc, is what I’m hoping for

I’d also like to understand if there are any draw-backs or limitations to any of the various options on design.