I started with the documented instructions to setup Keycloak, but since I don’t have a Keycloak server the keycloak-httpd-client-install failed. However, this got me the initial /etc/httpd/conf.d/foreman-openidc_oidc_keycloak_ssl-realm.conf. I then massaged the configuration from there to get where I am now.
One of the main influences of my current configuration is how Anthony_chevalet got it working with auth0, here Getting "SSO failed" after successfully logging into Keycloak - #31 by Anthony_Chevalet
I have tested it with each of the following three directives individually and in different combinations, without success.
OIDCRemoteUserClaim email
OIDCOAuthRemoteUserClaim email
RequestHeader set REMOTE_USER %{OIDC_CLAIM_email}e
This is from the auth_openidc debug logs:
[Tue Aug 23 13:36:13.681073 2022] [auth_openidc:debug] [pid 310166] src/mod_auth_openidc.c(1751): [client 10.1.250.187:53058] oidc_set_request_user: set remote_user to "jwinder@wcbradley.com" based on claim: "email"
...
[Tue Aug 23 13:36:13.735446 2022] [auth_openidc:debug] [pid 310166] src/mod_auth_openidc.c(1489): [client 10.1.250.187:53058] oidc_handle_existing_session: set remote_user to "jwinder@wcbradley.com"
...
I am not sure what else out of the httpd logs would be helpful. If desired, I could capture an entire authentication session and attempt to scrub the log of private details.