We have successfully set up a working version of Keycloak with Kubernetes (we are using AWS EKS) with JupyterHub using the [ingress-nginx)(https://github.com/kubernetes/ingress-nginx) as a reverse proxy. Keycloak is set up with JupyterHub as a standard OIDC client (confidential) and the JupyterHub successfully redirects to the Keycloak page that prompts the user to login. (For FYI this configuration is set up with the GenericOAuthenticator).
The Keyclaok Identity Provider has been tested with multiple third-party SAML IdP's, such as Okta and Auth0. The Keycloak broker successfully connects with the IdP and the user is prompted to add their credentials. After succussfully authenticating, however, the Keycloak service returns:
14:39:41,946 WARN [org.keycloak.events] (default task-60) type=IDENTITY_PROVIDER_RESPONSE_ERROR