Major When using EAP S2I OpenShift templates with Keycloak support (like https://github.com/jboss-container-images/jboss-eap-7-openshift-image/blob/7.2.x/templates/eap72-sso-s2i.json), it's not possible to correctly configure Keycloak SAML adapter.
The adapter configuration template (see bellow) uses a keystore to obtain a client's private key and a realm certificate, but the alias attributes for these two entries use the same parameter (SSO_SAML_CERTIFICATE_NAME):
<SP entityID="##KEYCLOAK_ENTITY_ID##" sslPolicy="EXTERNAL" logoutPage="##SSO_SAML_LOGOUT_PAGE##"> <Keys> <Key signing="true" encryption="true"> <KeyStore file="##SSO_SAML_KEYSTORE##" password="##SSO_SAML_KEYSTORE_PASSWORD##"> <PrivateKey alias="##SSO_SAML_CERTIFICATE_NAME##" password="##SSO_SAML_KEYSTORE_PASSWORD##"/> <Certificate alias="##SSO_SAML_CERTIFICATE_NAME##"/> </KeyStore> </Key> </Keys> <IDP entityID="idp" signatureAlgorithm="RSA_SHA256" signatureCanonicalizationMethod="http://www.w3.org/2001/10/xml-exc-c14n#"> ... </IDP> </SP>
It is necessary to introduce two separate parameters for the client's private key entry and the realm certificate entry.
The keycloak scripts for EAP 7.2 S2I images are versioned here: https://github.com/jboss-container-images/jboss-eap-modules/blob/7.2.x/os-eap-sso/added/keycloak-saml-sp-subsystem
For EAP 7.3 / CD / Wildfly they are versioned here: https://github.com/wildfly/wildfly-cekit-modules/blob/master/jboss/container/wildfly/launch/keycloak/added/keycloak-saml-sp-subsystem