The form-based authentication should be able to consume external authentication, for example PAM authentication and access control provided by mod_intercept_form_submit.

The generic approach is documented at

http://www.freeipa.org/page/Web_App_Authentication

For Foreman, the goal is to be able to say

LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
<Location /users/login>
  InterceptFormPAMService foreman-prod
  InterceptFormLogin login[login]
  InterceptFormPassword login[password]
</Location>

and be able to authenticate against foreman-prod PAM service.

In case the Foreman machine is IPA-enrolled, additional user attributes should be consumable just like in case of http://projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb. The mod_lookup_identity module configuration would then need to be amended to

LoadModule lookup_identity_module modules/mod_lookup_identity.so
<LocationMatch ^/users/(ext)?login$>
  LookupUserAttr mail REMOTE_USER_EMAIL " " 
  LookupUserAttr givenname REMOTE_USER_FIRSTNAME
  LookupUserAttr sn REMOTE_USER_LASTNAME
</LocationMatch>

to support both the Kerberos-based /users/extlogin, and /users/login.