In our documentation https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.1/html-single/using_single_sign-on_with_jboss_eap/index, when talking about the "keycloak-saml" layer, we mentions that:

Use this layer for Source to Image (s2i) with automatic registration of the SAML client. 

But information on how-to configure "automatic registration of the SAML client" is missing;

We suggest adding the following:

The SAML Client can be automatically registered into Red Hat build of Keycloak by leveraging a capability of the "keycloak-saml" layer called "Automatic Registration of the SAML Client".
Here is how this feature works and is configured:

• pre-requisite: a user is configured in Red Hat build of Keycloak: this user must be granted the create-client "Client Role" (this can be achieved both through the admin interface or the KeycloakRealmImport Custom Resource when using the Red Hat build of Keycloak Operator); an example with pictures for both options would be a "nice to have" here
• this user's credentials are then passed to the JBoss EAP 8.x web application by setting the *SSO_USERNAME* and *SSO_PASSWORD* env variables (see [keycloak.sh](https://github.com/wildfly/wildfly-cekit-modules/blob/main/jboss/container/wildfly/launch/keycloak/2.0/added/keycloak.sh) for the logic and [keycloak/2.0/module.yaml](https://github.com/wildfly/wildfly-cekit-modules/blob/main/jboss/container/wildfly/launch/keycloak/2.0/module.yaml) for the env variables description);
• when the JBoss EAP 8.x web application starts, the "keycloak-saml" layer (more precisely, the logic this layer adds to the server startup script) takes care of using the provided credentials to register a new SAML client into Red Hat build of Keycloak