I'm fine with system property. Can be set externally, which is good. I guess that other option would be to pass system property pointing to Keycloak configuration that UPS will load, so user can change more.

The latter approach would allow UPS to connect to externally launched keycloak instance, hence it's more flexible future wise and more error prone. That said, change of initial KC configuration requires deeper knowledge of the system and should be done only by experienced users .