The following WARNING message is displayed on the logs from RH SSO:

WARN [org.keycloak.saml.common] (default task-20) XML External Entity switches are not supported. You may get XML injection vulnerabilities.

However, Red Hat Support analyzed the issue and found the following:

Because xalan 2.7.1 implementation does not support XMLConstants.ACCESS_EXTERNAL_DTD, the warning message is caused by an exception at:

rh-sso-7.5.2.GA-src/org.keycloak-keycloak-parent-15.x/saml-core/src/main/java/org/keycloak/saml/common/util/TransformerUtil.java
 119   │                     transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");

So, the transformer is vulnerable to external DTD attack.
However, DTD as input is DISABLED. Hence, DTD can not be a threat in the SAML adapter:

rh-sso-7.5.2.GA-src/org.keycloak-keycloak-parent-15.x/saml-core/src/main/java/org/keycloak/saml/common/util/StaxParserUtil.java:
 922   │             xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);

Another analysis we performed back in 2020 stated the same:

First, javax.xml.transform.TransformerFactory sets three attributes in order to avoid XEE attack.

• XMLConstants.FEATURE_SECURE_PROCESSING
• XMLConstants.ACCESS_EXTERNAL_DTD
• XMLConstants.ACCESS_EXTERNAL_STYLESHEET

RH-SSO on EAP uses org.apache.xalan.processor.TransformerFactoryImpl class. This class does not supports ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_STYLESHEET.
Then IllegalArgumentException occurs and this warning message appears.

Hence, would it be possible to remove this message in order to not cause any confusion for the customers?