In ORG-2844 I realized that current SAML2 response signing (https://mojo.redhat.com/docs/DOC-102622#jive_content_id_SAML2_HTTP_Redirect_Binding_handling_compatible_with_PicketLink_client) is incorrect, because it sign responses like POST binding (in XML), not like Redirect binding (in query param). It worked with PicketLink client but not with Keycloak.
We should patch Redirect binding (provide correct url params) or provide correct POST binding there.