Just to give some feedback what might also happen when installing the new Keycloak app.
Preface:
The Replica Node this is about was offline for some extended time (no network connection). After the Keycloak app got installed on the PDN, the RDN got back its network access. And here the fun starts… 
Other Replicas that didn’t happen to be offline hadn’t had this issue, so it might be related to being offline.
The Problem
When doing some software updates after being offline on this node I discovered that this Replica wasn’t yet configured to use the Keycloak app as IDP. So I set the idp-server variable and everything was looking good - until I was notifed in UMC that some join scripts need to be re-run. So I did that too. But in the end 92univention-management-console-web-server.inst was failing and wasn’t able to pull the metadata from the IDP.
Furthermore the idp-server was not showing the value of what I configured before. Instead it was using the setting from simplesamlphp again. So I re-did the step and re-run the join script and faced the same issue again and again…
Here some output:
root@ucs-dn2:~# ucr set umc/saml/idp-server="https://ucs-sso-ng.$(hostname -d)/realms/ucs/protocol/saml/descriptor"
Setting umc/saml/idp-server
Module: setup_saml_sp
Try to download idp metadata (1/60)
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3350 100 3350 0 0 112k 0 --:--:-- --:--:-- --:--:-- 112k
Multifile: /etc/pam.d/univention-management-console
File: /etc/ldap/sasl2/slapd.conf
root@ucs-dn2:~# univention-run-join-scripts --run-scripts 92univention-management-console-web-server.inst --force
univention-run-join-scripts: runs all join scripts existing on local computer.
copyright (c) 2001-2023 Univention GmbH, Germany
Enter Primary Directory Node Account : Administrator
Enter Primary Directory Node Password:
Search LDAP binddn: done
Running pre-joinscripts hook(s): done
Running 92univention-management-console-web-server.inst failed (exitcode: 3)
Running post-joinscripts hook(s): done
And some log output from join.log:
Try to download idp metadata (59/60)
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (22) The requested URL returned error: 404 Not Found
Try to download idp metadata (60/60)
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (22) The requested URL returned error: 404 Not Found
Multifile: /etc/pam.d/univention-management-console
File: /etc/ldap/sasl2/slapd.conf
Could not download IDP metadata for https://sso.$DOMAIN.net/simplesamlphp/saml2/idp/metadata.php
So it seemed to be some sort of a dead-end:
10 do "setting idp-server variable"
20 do "run join script"
30 goto 10
When looking at the join script in /usr/lib/univention-install/92univention-management-console-web-server.inst I spotted this lines:
104 _cleanup_die () {
105 ucr unset umc/saml/idp-server; exit 3
106 }
107 if ! is_ucr_false 'umc/web/sso/enabled'; then
108 rm /usr/share/univention-management-console/saml/idp/*.xml
109 ucr set umc/saml/idp-server="https://${ucs_server_sso_fqdn}/simplesamlphp/saml2/idp/metadata.php" || _cleanup_die
110 # Execute UCR module to download metadata if umc/saml/idp-server has been set via LDAP layer (e.g. for keycloak)
111 [ "$(ls -A /usr/share/univention-management-console/saml/idp/*.xml)" ] || python3 /etc/univention/templates/modules/setup_sa 111 ml_sp.py
112 [ "$(ls -A /usr/share/univention-management-console/saml/idp/*.xml)" ] || _cleanup_die
113
114 fi
Ok, umc/web/sso/enabled was set to true, so the script removed the XML files, tried to set the idp-server variable and failed for whatever reason and therefor called _cleanup_die and unset the UCRV.
Hmm… 
Ok, so in order to see if that’s the failing part of the script I commented out line 109 and called the join script again - and now it successfully ran.
Maybe I triggered a corner case with being offline with that Replica for a longer time and ran into some weird kind of bug in the script, maybe not.
Ingo