[keycloak-user] SAML RSAKeyValue causing error

I am having trouble using Keycloak as the external provider to our Websphere Application. I received the following response from IBM support: I discussed the issue with our SAML SSO SME. He found in SAML token, besides X509Certificate, it also contains RSAKeyValue (<dsig:RSAKeyValue>). This document states: https://www.ibm.com/support/knowledgecenter/en/SSEQTP_8.5.5/com.ibm.websp... . RSAKeyValue is supported for the KeyInfo element in a Signature. However, the X.509 certificate is not available when using RSAKeyValue. When the X.509 certificate is not available to the runtime, the signer of the SAML Assertion cannot be checked against a truststore. If you want to receive SAML Assertions that use RSAKeyValue you cannot configure the runtime to use a truststore. . Can you config the idP so that it only sends X509 certificate, not RSAKey? Is it possible to remove the RSAKeyValue from the saml token and still send just the certificate?