Yes, "Transparent Kerberos Authentication, and also the SSO feature of the LDAP account unit which requires a SPN to be configured in the AD" are exactly the things you have to look at.
We are using it that way and it works like a charm for many years now.
Unfortunatly Windows only, because Identity Agent for MacOS has no Kerberos support and Check Point does not provide an Identity Agent for Linux at all.
If Windows-only is a problem for you: We are currently developing our own Identity Agent for Linux with Kerberos support, let it connect to our own Identity Server for all the session handling which then updates Check Points Gateway (pdpd) using its official Identity Web API. Maybe we should even port it to MacOS, because of the missing Kerberos support in the original client.