Honestly I don't know if it's possible with Keycloak.

It's possible to have two Keycloak, the one in the cloud, could be an indetity provider (the same way as you could add Google, Facebook etc. as one) and use the ones on the edge as brokers. In such set up all backends should communicate with their brokers on edge, and the brokers will communicate with identity provider in a cloud. I'm not sure however if it's possible to have an offline indentity provider. Maybe it's possible since brokers are caching some user data, but I've never tested it.