Auth0 can do this. Identifier first login, SSO domain aliases, and MFA are all supported. They have an Organizations feature as well, but I'm not certain if you'd need that from what you've described. Customization of various aspects of the authn flow can be done via Actions (and Rules, but they're deprecated).
