Spring Security RelyingPartyRegistrations Fails to Read Keycloak Metadata

When loading metadata from a Keycloak endpoint, the application fails with a ClassCastException:

java.lang.ClassCastException: org.opensaml.saml.saml2.metadata.impl.EntitiesDescriptorImpl cannot be cast to org.opensaml.saml.saml2.metadata.EntityDescriptor

This is because it incorrectly assumes that the root element will always be EntityDescriptor. In Keycloak's case, the EntityDescriptor is surrounded with an EntitiesDescriptor element.