I have only limited experience with both. Okta from trying to integrate with it and Keycloak from using it in my integration testing (it thankfully runs well inside a Docker container).

I would hesitate to disqualify Keycloak because it is "open source". E.g. I was very surprised when I learned that Okta's SAML implementation does not currently support importing SP metadata (in fact, when using their developer portal you'll notice that the SAML stuff is hidden away inside their legacy UI). My first attempt at integrating with Okta involved what turned out to be a sub-par SAML library and asking Okta for some guidance was an exercise in futility. I.e. to me as a developer the Okta option offers very few advantages. (but for a network admin the story might be different)

At the moment I'm involved in a project that employes OpenIdDict since we have additional customization needs (and we use dotnet). There are many ways to skin this particular cat. :)

We have used Keycloak extensively and I can confidently say that it supports all the features that you have listed. Moreover, Keycloak also supports extension with SPIs which even allowed us to develop some very customised authentication flows which wouldn’t be possible with most IDPs. Unless you really need that enterprise support provided by Okta and you can manage Keycloak on your own, you can easily go with Keycloak and save some cash.

Keycloak also runs well on a container. You could use the official image from JBoss’s DockerHub or the one that’s made by Bitnami. The Bitnami one offers some extra options. Helm Charts are available from Codecentric and Bitnami (for the JBoss and Bitnami version, respectively), so it’s pretty easy to get them running on your Kubernetes cluster, if you have one to use.