The customer needs two factor authentication: the implementation with keystone and IPA has many issues and customer doesn't want to go on this solution.

So, we found this article[1] that explains how to configure Keystone for federation and as ServiceProvider: the plan is to use an external IDP based on EAP + Picketlink with custom EAP login modules.

So:

1) Do we have other customer using login customization for OSP7? and how?

I'm not aware of it, it's better for this to reach to BU or rhos-tech
to check for this.

2) Do we have some ready made solution to implement two factor auth in OSP?

Ipa can be integrated with keystone
(https://www.rdoproject.org/documentation/keystone-integration-with-idm/)

And IPA can do 2FA:
http://rhelblog.redhat.com/2015/06/04/identity-management-and-two-factor-authentication-using-one-time-passwords/

So it can be crafted together

But as you said, if customer doesn't want to go the IPA road, it's a
dead end.

3) Do we fully support federation + SAML2 login in OSP?