No matter what you do, ultimately a User record needs to be created in your Mendix app. However, this functionality is quite extensible.
In fact, there are a number of modules in the app store that offer connectivity to standard SSO protocols like LDAP and SAML. You can also build a custom solution: Here is a great blog post describing how to perform custom logic when a user tries to log in: https://bartgroot.nl/mendix/custom-checks-on-login/
So, use something like this, and when your custom microflow is called, look up the user in the external system and validate their credentials. If the authentication is successful, create/update the User record, and ensure it has the right user roles. Then pass that user out of the microflow and they will be logged in. If the authentication fails, pass back an empty user object and let the auth fail.
As for the UI, you can either use the default login page or the custom login widgets as you discussed above.