The way I've tackled this type of issue in the past is to use Kerberos. You get you client machines set up to get their Ticket Granting Ticket on user login and then that can be used to connect to most relational databases. You then set up your IdP to support SPNEGO and then your users don't even interacts with the IdP in their web browser.
it is privileged access management that you are describing. One of the key requirements for compliance frameworks is also to record the user sessions. Authentication is one aspect of it, i think key problem is authorization too.
