I’ve not implemented it because only I have access to Foreman in my institution. But we do use FreeIPA successfully to do SSO against AD in a one way trust (FreeIPA trusts AD, AD doesn’t trust FreeIPA).
Adding new services to FreeIPA is relatively easy - usually a one liner in it’s conf. I would recommend this method.