Hi there ! Welcome to the Forum.
Top to bottom my answers:
- Aslong as the/a product supports SAML it should work with CheckMK.
- I do not have experience with Keycloak itself, however i think (after looking at an example for mattermost) you want to have Id as user ID attribute.
- i would not say error in config, rather that keycloak does not offer the correct attributes required in the assertion.
→ making a successful SAML configuration is a mutual agreement between what the IDP offers as to attributes and what the application requires.
Hope this will point you in the correct direction.
i myself use NetIQ AccessManager as IDP.
If i get the time i will setup a keycloak server, however i do not have CMK-ee, so cannot fully test ( i run raw, and have written a SAML discussion with that version - should be here in the forum 
)
→ Do be aware that this thread was prior to the point where CMK implemented SAML in the CEE -edition.
- Glowsome