Problem:

If you run

# univention-keycloak saml/sp get
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 162, in _new_conn
    (self._dns_host, self.port), self.timeout, **extra_kw)
  File "/usr/lib/python3/dist-packages/urllib3/util/connection.py", line 57, in create_connection
    for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
  File "/usr/lib/python3.7/socket.py", line 748, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -2] Name or service not known

or you see

Original Error: {'desc': 'Invalid credentials', 'info': 'SASL(-13): authentication failure: SAML assertion issuer https://auth.schein.me/realms/ucs is unknown'}

or

univention-management-console-server[1484]: Unsupported binding: urn:oasis:names:tc:SAML:2.0:bindings:SOAP (https://auth.schein.me/realms/ucs)

or

keycloak.exceptions.KeycloakConnectionError: Can't connect to server (HTTPSConnectionPool(host='ucs-sso-ng.schein.me', port=443): Max retries exceeded with url: /realms/master/protocol/openid-connect/token (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f17a9889c88>: Failed to establish a new connection: [Errno -2] Name or service not known')))

Solution:

It could be, that you have adjusted the FQDN of keycloak. If you face this above error, you may have not set

ucr set keycloak/server/sso/fqdn=auth.schein.me

on all your servers.