Why would you do that rather than just hooking SSH up to a real IdP with certificates?