Not sure if new users will run into this as the beginning is pretty clear that the assumption of keycloak answering on xxx-idp.xxx domain and OOD being on xxx-ood.xxx domain. I was blowing through this deployment like I did for v1.6 (previously most recent version I have deployed) and didn’t notice that change. I take the onus on this one for being lazy and not reading the change logs (good thing I don’t run arch).
While I agree the proper way to deploy keycloak with OOD is to have 2 hosts or at least separate domains, you may want add in a section about how to do it the old way with keycloak on 8443 and ood on 443 on the same host. FWIW, I am still deploying this way as I have yet to spin up a central keycloak that can authenticate to multiple ood’s.
Unrelated to this but there in the upcoming keycloak 13.x.x release there is going to be a method for making an authentication flow that does read-only ldap but will not make a local keycloak user if the user does not exist in ldap. The work around in the old days was to just make a user in keycloak which would then fail when sent back to OOD but this would sometimes result in users having clashes in keycloak if they tried signing in with OOD before I made their account and would require me to go and manually remove the auto created one in keycloak after making their cluster account so they could then log into OOD successfully. I can write up a post if you think others might need this. God knows I have banged my head on keycloak enough at this point…