From looking at the Openshift and Keycloak material, it sounds like what's missing is something like an adapter for Keycloak, similar to their LDAP adapter, for the desired mapping.