I have a couple customers who use keycloak to handle SSO integration with my product. Almost every single time we do the configuration on a screenshare it is painfull. The gist is they all seem to have different setup with various configuration and asking me how to fix it but what works for someone doesn't work for someone else. Most of the time when things don't work, they start clicking things everywhere and that either make it worse or in some case make it work. As a vendor, I would love to have a way to give them a configuration that just work on both SAML and OIDC
None of this is very specific, but also matches my experience pretty closely.
Also, if you have Keycloak running behind Apache as a reverse proxy, I've had requests between those two randomly drop. I needed to change some obscure setting in the Apache config in regards to connection pooling/keep-alive or something along those lines, mentioned it in a past comment of mine. That was annoying, in addition to having to configure Keycloak in the first place.
