The RH-SSO OIDC adapter makes use of the KeycloakSecurityRealm once an identity has been successfully established using OIDC. This security realm uses a KeycloakPrincipal to represent a realm identity principal.

Elytron's security realm implementations require a realm identity principal to be a NamePrincipal (as shown in a realm here). When trying to outflow an identity from the KeycloakDomain to an Elytron security domain, we run into a problem because the principal that we're trying to outflow is a KeycloakPrincipal instead of a NamePrincipal. Thus, the outflow step fails since the target realm's getRealmIdentity method will just return a NON_EXISTENT identity. 

The getRealmIdentity method in Elytron security realm implementations should be updated so that if the given Principal isn't an instance of NamePrincipal, we try to convert it to a NamePrincipal if possible.