Yes you should use the form based authentication to make a API call with user credentials to the authorization provider to get the either session data or bearer token, whichever in your case.
But this is not the only thing you need to handle.
at the same time you need to handle Access level as well that you can decide based on the token and session data of the user,
In AEM we have lots of places where you need to manage user's private data and content and its caching so after any authorization you will have to set proper request and response header to properly cache the content on dispatcher and CDN level(if applicable).
So all these stuff needs to be considered before execution.
As you have mentioned the identity provider is an external system, you can go ahead with the form based authentication process if you have a login page.
Let's say you are using OKTA as the external system, then User will need to submit the form by providing the user details and you will need to call to OKTA API to authenticate the user.
Now OKTA will return a session token which you can encrypt in AEM using the crypto support and then store it in a cookie.
Post successful login, everytime user make any request you can check the session token if it's valid or not and if it;s valid, then allow to access the page, else redirect back to the login page or any error page based on the business requirement.
If the user is trying to tamper the cookie value also, it will ensure the user is not getting the content and will redirect back them to the login or error page. You can also implement the idle time error handling where if the user is inactive for certain period of time, you can logout the user by showing somekind of warning message "the user will be logged out in 10 sec due to inactivity" or so.