To support combining the password login form with more advanced login options like certificates or SPNEGO, need to consider whether we can support this in some generic way that doesn't require explicit modification of the flow.
The general thought is to consider some kind of map of "enhanced" flows that would be runnable directly with the usual IdP machinery but also would be usable via buttons or links on the login form for the password flow, which would run the enhanced flow as a subflow, and return the result as the result of the password flow.
This is like the reverse of the thinking around combining Duo with passwords. Instead of a MFA flow invoking password login, the password flow would invoke other methods instead of running itself.
It may be possible to consider combining the concepts. Perhaps there may be flows to run instead of passwords or flows to run after a successful login via password.
The goal is to build some of the dispatching logic the IdP is capable of into the password flow under control of the view template so that there is a more integrated UI.