So depending on your IDP (you mentioned federated authentication) you might have to run some updates.
Depending on your setup, but in most environments the user/browser requests a Kerberos ticket to authenticate against the federation service. There might be an issue... one easy way to check on the client if there is a valid ticket is the klist command-line tool, which will show you all cached tickets.
If there is no ticket, either the request to the domain controller failed, or some browser settings.. like the IDP url is not in your trusted sites config.. etc.
You have a conditional access control in place which requires a managed device or AAD hybrid joined device. In this case you need the MS Accounts extension installed in the Chrome browser and the device must be either ADD Hybrid joined, or Intune managed.