How have you guys solved "from scratch" configuration for keycloak? I've worked with it a bit over the years and I've never found a way to get it into a state I want programmatically without hacky bash scripts and modifying the json templates.

Maybe we got lucky with the configuration but we use the approach documented for the keycloak-saml-adapter with Jetty as the app server.

There is still a lot work done to ensure keys are generated in the proper locations and that necessary product id values (corresponds to SAML SP entityID) are generated.

In short, it is not a simple plug-n-play, lots of hacking to get the result we needed but the adapter itself does what it needs to do.

believe it or not, but we do FROM jboss/keycloak:9.0.0, add a theme jar, throw it on k8s with 2 pods and a postgres behind it and that's it.

Our clients are mostly SAML SaaS software and our own implementation of gatekeeper (which is also a kubernetes ingress) with short lifetime OIDC ID tokens, long lifetime refresh tokens and seamless background refreshing.