We also faced similar situation while planning the migration to cloud.
We have 12 micro-services, routed through API gateway (Zuul). Every micro-service is stateless (No JVM/application based sessions in our case, as JAVA is used for MS). Whenever the request passes through the API Gateway an application wide custom session is created and the data is stored in an external Redis Data store, and the required micro-service first verifies the data for the request in Redis and then serves the data.
Now, at API Gateway we have implemented Authentication filters (Pre Request & Post Request filters - JWT implementation also relies on same), where we are managing the authentication and validity of users. (JWT, SAML, or any kind of mechanism you can use. )
End User ----> API Gateway (Zuul Server with Pre & Post request filters) ---- Session Data in Redis Data Store -----> Micro-service Hit.
Our micro-service only contain code to access and verify session data while session management is done at API Gateway itself. .
If you can provide the language, framework used and deployment infrastructure planned. So, actual things can be figured out.