Merge "Fix error-mask in db_sync state"
diff --git a/.kitchen.yml b/.kitchen.yml
index 29774f4..7ef9ad1 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -2,7 +2,7 @@
 driver:
   name: docker
   hostname: keystone.ci.local
-  use_sudo: true
+  use_sudo: false
 
 provisioner:
   name: salt_solo
@@ -10,7 +10,7 @@
   salt_bootstrap_url: https://bootstrap.saltstack.com
   salt_version: latest
   require_chef: false
-  log_level: info
+  log_level: error
   formula: keystone
   grains:
     noservices: False
@@ -74,6 +74,13 @@
       pillars-from-files:
         keystone.sls: tests/pillar/single.sls
 
+  - name: single_domain
+    provisioner:
+      grains:
+        noservices: True
+      pillars-from-files:
+        keystone.sls: tests/pillar/single_domain.sls
+
   - name: single_fernet
     provisioner:
       pillars-from-files:
diff --git a/.travis.yml b/.travis.yml
index acbbe42..7cf63e4 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -17,8 +17,14 @@
   - bundle install
 
 env:
-  - PLATFORM=trevorj/salty-whales:trusty MYSQL_VERSION='5.5'
-  - PLATFORM=trevorj/salty-whales:xenial MYSQL_VERSION='5.7'
+  - PLATFORM=trevorj/salty-whales:trusty MYSQL_VERSION='5.5' SUITE=single
+  - PLATFORM=trevorj/salty-whales:xenial MYSQL_VERSION='5.7' SUITE=single
+  - PLATFORM=trevorj/salty-whales:trusty MYSQL_VERSION='5.5' SUITE=single_domain
+  - PLATFORM=trevorj/salty-whales:xenial MYSQL_VERSION='5.7' SUITE=single_domain
+  - PLATFORM=trevorj/salty-whales:trusty MYSQL_VERSION='5.5' SUITE=single_fernet
+  - PLATFORM=trevorj/salty-whales:xenial MYSQL_VERSION='5.7' SUITE=single_fernet
+  - PLATFORM=trevorj/salty-whales:trusty MYSQL_VERSION='5.5' SUITE=under-apache
+  - PLATFORM=trevorj/salty-whales:xenial MYSQL_VERSION='5.7' SUITE=under-apache
 
 before_script:
   - set -o pipefail
diff --git a/README.rst b/README.rst
index e7c8aed..bb7146f 100644
--- a/README.rst
+++ b/README.rst
@@ -86,6 +86,17 @@
             admin_address: 10.0.0.20
             admin_port: 8774
 
+Keystone with custom policies. Keys with specified rules are created or set to this value if they already exists. Keys with no value (like our "existing_rule") are deleted from the policy file.
+
+.. code-block:: yaml
+
+    keystone:
+      server:
+        enabled: true
+        policy:
+          new_rule: "rule:admin_required"
+          existing_rule:
+
 Keystone memcached storage for tokens
 
 .. code-block:: yaml
@@ -191,16 +202,17 @@
     keystone:
       server:
         domain:
-          description: "Testing domain"
-          backend: ldap
-          assignment:
-            backend: sql
-          ldap:
-            url: "ldaps://idm.domain.com"
-            suffix: "dc=cloud,dc=domain,dc=com"
-            # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
-            uid: keystone
-            password: password
+          external:
+            description: "Testing domain"
+            backend: ldap
+            assignment:
+              backend: sql
+            ldap:
+              url: "ldaps://idm.domain.com"
+              suffix: "dc=cloud,dc=domain,dc=com"
+              # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
+              uid: keystone
+              password: password
 
 Using LDAP backend for default domain
 
@@ -293,6 +305,56 @@
           virtual_host: '/openstack'
         ....
 
+Client-side RabbitMQ TLS configuration:
+
+|
+
+By default system-wide CA certs are used. Nothing should be specified except `ssl.enabled`.
+
+.. code-block:: yaml
+
+  keystone:
+    server:
+      ....
+      message_queue:
+        ssl:
+          enabled: True
+
+Use `cacert_file` option to specify the CA-cert file path explicitly:
+
+.. code-block:: yaml
+
+  keystone:
+    server:
+      ....
+      message_queue:
+        ssl:
+          enabled: True
+          cacert_file: /etc/ssl/rabbitmq-ca.pem
+
+To manage content of the `cacert_file` use the `cacert` option:
+
+.. code-block:: yaml
+
+  keystone:
+    server:
+      ....
+      message_queue:
+        ssl:
+          enabled: True
+          cacert: |
+
+          -----BEGIN CERTIFICATE-----
+                    ...
+          -----END CERTIFICATE-------
+
+          cacert_file: /etc/openstack/rabbitmq-ca.pem
+
+
+Notice:
+ * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
+ * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
+
 Enable CADF audit notification
 
 .. code-block:: yaml
@@ -323,7 +385,7 @@
         modules:
           - wsgi
 
-Enable Federated keystone
+Enable SAML2 Federated keystone
 
 .. code-block:: yaml
 
@@ -333,14 +395,16 @@
         - password
         - token
         - saml2
-        websso:
-          protocol: saml2
-          remote_id_attribute: Shib-Identity-Provider
+        federation:
+          saml2:
+            protocol: saml2
+            remote_id_attribute: Shib-Identity-Provider
+            shib_url_scheme: https
+            shib_compat_valid_user: 'on'
           federation_driver: keystone.contrib.federation.backends.sql.Federation
           federated_domain_name: Federated
           trusted_dashboard:
-            - http://${_param:proxy_vip_address_public}/horizon/auth/websso/
-          shib_url_scheme: https
+            - https://${_param:cluster_public_host}/horizon/auth/websso/
     apache:
       server:
         pkgs:
@@ -350,6 +414,48 @@
           - wsgi
           - shib2
 
+Enable OIDC Federated keystone
+
+.. code-block:: yaml
+
+    keystone:
+      server:
+        auth_methods:
+        - password
+        - token
+        - oidc
+        federation:
+        oidc:
+            protocol: oidc
+            remote_id_attribute: HTTP_OIDC_ISS
+            remote_id_attribute_value: https://accounts.google.com
+            oidc_claim_prefix: "OIDC-"
+            oidc_response_type: id_token
+            oidc_scope: "openid email profile"
+            oidc_provider_metadata_url: https://accounts.google.com/.well-known/openid-configuration
+            oidc_client_id: <openid_client_id>
+            oidc_client_secret: <openid_client_secret>
+            oidc_crypto_passphrase: openstack
+            oidc_redirect_uri: https://key.example.com:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect
+            oidc_oauth_introspection_endpoint: https://www.googleapis.com/oauth2/v1/tokeninfo
+            oidc_oauth_introspection_token_param_name: access_token
+            oidc_oauth_remote_user_claim: user_id
+            oidc_ssl_validate_server: 'off'
+        federated_domain_name: Federated
+        federation_driver: keystone.contrib.federation.backends.sql.Federation
+        trusted_dashboard:
+          - https://${_param:cluster_public_host}/auth/websso/
+    apache:
+      server:
+        pkgs:
+          - apache2
+          - libapache2-mod-auth-openidc
+        modules:
+          - wsgi
+          - auth_openidc
+
+Notes: Ubuntu Trusty repository doesn't contain libapache2-mod-auth-openidc package. Additonal repository should be added to source list.
+
 Use a custom identity driver with custom options
 
 .. code-block:: yaml
@@ -547,6 +653,17 @@
             param2: value
         ....
 
+Configuration of policy.json file
+
+.. code-block:: yaml
+
+
+    keystone:
+      server:
+        ....
+        policy:
+          admin_or_token_subject: 'rule:admin_required or rule:token_subject'
+
 Usage
 =====
 
diff --git a/_grains/keystone_policy.py b/_grains/keystone_policy.py
new file mode 100644
index 0000000..2155b12
--- /dev/null
+++ b/_grains/keystone_policy.py
@@ -0,0 +1,15 @@
+#!/usr/bin/env python
+import salt.config
+import salt.loader
+
+
+def main():
+    path = "/etc/keystone/policy.json"
+    __opts__ = salt.config.minion_config('/etc/salt/minion')
+    keystone_policy_mod = salt.loader.raw_mod(__opts__, 'keystone_policy', None)
+    if keystone_policy_mod:
+        result = keystone_policy_mod['keystone_policy.rule_list'](path)
+        if result and 'Error' not in result:
+            return {'keystone_policy': result}
+    return {}
+
diff --git a/_modules/keystone_policy.py b/_modules/keystone_policy.py
new file mode 100644
index 0000000..4e3ae6d
--- /dev/null
+++ b/_modules/keystone_policy.py
@@ -0,0 +1,78 @@
+import io
+import json
+import logging
+
+import yaml
+
+LOG = logging.getLogger(__name__)
+
+
+def __virtual__():
+    return True
+
+
+def rule_list(path, **kwargs):
+    try:
+        with io.open(path, 'r') as file_handle:
+            rules = yaml.safe_load(file_handle) or {}
+        rules = {str(k): str(v) for (k, v) in rules.items()}
+    except Exception as e:
+        msg = "Unable to load policy file %s: %s" % (path, repr(e))
+        LOG.debug(msg)
+        rules = {'Error': msg}
+    return rules
+
+
+def rule_delete(name, path, **kwargs):
+    ret = {}
+    rules = __salt__['keystone_policy.rule_list'](path, **kwargs)
+    if 'Error' not in rules:
+        if name not in rules:
+            return ret
+        del rules[name]
+        try:
+            with io.open(path, 'w') as file_handle:
+                if path.endswith('json'):
+                    serialized = json.dumps(rules, indent=4)
+                else:
+                    serialized = yaml.safe_dump(rules, indent=4)
+                file_handle.write(unicode(serialized))
+        except Exception as e:
+            msg = "Unable to save policy file: %s" % repr(e)
+            LOG.error(msg)
+            return {'Error': msg}
+        ret = 'Rule {0} deleted'.format(name)
+    return ret
+
+
+def rule_set(name, rule, path, **kwargs):
+    rules = __salt__['keystone_policy.rule_list'](path, **kwargs)
+    if 'Error' not in rules:
+        if name in rules and rules[name] == rule:
+            return {name: 'Rule %s already exists and is in correct state' % name}
+        rules.update({name: rule})
+        try:
+            with io.open(path, 'w') as file_handle:
+                if path.endswith('json'):
+                    serialized = json.dumps(rules, indent=4)
+                else:
+                    serialized = yaml.safe_dump(rules, indent=4)
+                file_handle.write(unicode(serialized))
+        except Exception as e:
+            msg = "Unable to save policy file %s: %s" % (path, repr(e))
+            LOG.error(msg)
+            return {'Error': msg}
+        return rule_get(name, path, **kwargs)
+    return rules
+
+
+def rule_get(name, path, **kwargs):
+    ret = {}
+    rules = __salt__['keystone_policy.rule_list'](path, **kwargs)
+    if 'Error' in rules:
+        ret['Error'] = rules['Error']
+    elif name in rules:
+        ret[name] = rules.get(name)
+
+    return ret
+
diff --git a/_states/keystone_policy.py b/_states/keystone_policy.py
new file mode 100644
index 0000000..e7a4a6a
--- /dev/null
+++ b/_states/keystone_policy.py
@@ -0,0 +1,81 @@
+#!/usr/bin/env python
+'''
+Management of policy.json
+=========================
+
+Merge user defined hash to policy.json
+--------------------------------------
+
+.. code-block:: yaml
+
+  my_rule_present:
+    keystone_policy.rule_present:
+      - name: rule_name
+      - rule: rule
+      - path: /etc/keystone/policy.json
+
+  my_rule_absent:
+    keystone_policy.rule_absent:
+      - name: rule_name
+      - path: /etc/keystone/policy.json
+
+'''
+import logging
+
+log = logging.getLogger(__name__)
+
+
+def __virtual__():
+    return True
+
+
+def rule_present(name, rule, path, **kwargs):
+    '''
+    Ensures that the policy rule exists
+    
+    :param name: Rule name
+    :param rule: Rule
+    :param path: Path to policy file
+    '''
+    rule = rule or ""
+    ret = {'name': name,
+           'changes': {},
+           'result': True,
+           'comment': 'Rule "{0}" already exists and is in correct state'.format(name)}
+    rule_check = __salt__['keystone_policy.rule_get'](name, path, **kwargs)
+    if not rule_check:
+        __salt__['keystone_policy.rule_set'](name, rule, path, **kwargs)
+        ret['comment'] = 'Rule {0} has been created'.format(name)
+        ret['changes']['Rule'] = 'Rule %s: "%s" has been created' % (name, rule)
+    elif 'Error' in rule_check:
+        ret['comment'] = rule_check.get('Error')
+        ret['result'] = False
+    elif rule_check[name] != rule:
+        __salt__['keystone_policy.rule_set'](name, rule, path, **kwargs)
+        ret['comment'] = 'Rule %s has been changed' % (name,)
+        ret['changes']['Old Rule'] = '%s: "%s"' % (name, rule_check[name])
+        ret['changes']['New Rule'] = '%s: "%s"' % (name, rule)
+    return ret
+
+
+def rule_absent(name, path, **kwargs):
+    '''
+    Ensures that the policy rule does not exist
+
+    :param name: Rule name
+    :param path: Path to policy file
+    '''
+    ret = {'name': name,
+           'changes': {},
+           'result': True,
+           'comment': 'Rule "{0}" is already absent'.format(name)}
+    rule_check = __salt__['keystone_policy.rule_get'](name, path, **kwargs)
+    if rule_check:
+        __salt__['keystone_policy.rule_delete'](name, path, **kwargs)
+        ret['comment'] = 'Rule {0} has been deleted'.format(name)
+        ret['changes']['Rule'] = 'Rule %s: "%s" has been deleted' % (name, rule_check[name])
+    elif 'Error' in rule_check:
+        ret['comment'] = rule_check.get('Error')
+        ret['result'] = False
+    return ret
+
diff --git a/keystone/client/project.sls b/keystone/client/project.sls
index bb0d30e..856c78f 100644
--- a/keystone/client/project.sls
+++ b/keystone/client/project.sls
@@ -3,13 +3,6 @@
 
 {%- if client.tenant is defined %}
 
-keystone_salt_config:
-  file.managed:
-    - name: /etc/salt/minion.d/keystone.conf
-    - template: jinja
-    - source: salt://keystone/files/salt-minion.conf
-    - mode: 600
-
 keystone_client_roles:
   keystone.role_present:
   - names: {{ client.roles }}
@@ -17,8 +10,6 @@
   - connection_password: {{ client.server.password }}
   - connection_tenant: {{ client.server.tenant }}
   - connection_auth_url: 'http://{{ client.server.host }}:{{ client.server.public_port }}/v2.0/'
-  - require:
-    - file: keystone_salt_config
 
 {%- for tenant_name, tenant in client.get('tenant', {}).iteritems() %}
 
diff --git a/keystone/client/server.sls b/keystone/client/server.sls
index 4a8bfed..416590b 100644
--- a/keystone/client/server.sls
+++ b/keystone/client/server.sls
@@ -64,9 +64,9 @@
 keystone_{{ server_name }}_service_{{ service_name }}_endpoint_{{ endpoint.region }}:
   keystone.endpoint_present:
   - name: {{ service_name }}
-  - publicurl: '{{ endpoint.get('public_protocol', 'http') }}://{{ endpoint.public_address }}:{{ endpoint.public_port }}{{ endpoint.public_path }}'
-  - internalurl: '{{ endpoint.get('internal_protocol', 'http') }}://{{ endpoint.internal_address }}:{{ endpoint.internal_port }}{{ endpoint.internal_path }}'
-  - adminurl: '{{ endpoint.get('admin_protocol', 'http') }}://{{ endpoint.admin_address }}:{{ endpoint.admin_port }}{{ endpoint.admin_path }}'
+  - publicurl: '{{ endpoint.get('public_protocol', 'http') }}://{{ endpoint.public_address }}{% if not (endpoint.get('public_protocol', 'http') == 'https' and endpoint.public_port|int == 443) %}:{{ endpoint.public_port }}{% endif %}{{ endpoint.public_path }}'
+  - internalurl: '{{ endpoint.get('internal_protocol', 'http') }}://{{ endpoint.internal_address }}{% if not (endpoint.get('internal_protocol', 'http') == 'https' and endpoint.internal_port|int == 443) %}:{{ endpoint.internal_port }}{% endif %}{{ endpoint.internal_path }}'
+  - adminurl: '{{ endpoint.get('admin_protocol', 'http') }}://{{ endpoint.admin_address }}{% if not (endpoint.get('admin_protocol', 'http') == 'https' and endpoint.admin_port|int == 443) %}:{{ endpoint.admin_port }}{% endif %}{{ endpoint.admin_path }}'
   - region: {{ endpoint.region }}
   - require:
     - keystone: keystone_{{ server_name }}_service_{{ service_name }}
diff --git a/keystone/client/service.sls b/keystone/client/service.sls
index efdef37..40c68df 100644
--- a/keystone/client/service.sls
+++ b/keystone/client/service.sls
@@ -5,10 +5,4 @@
   pkg.installed:
   - names: {{ client.pkgs }}
 
-keystone_profile:
-  file.managed:
-  - name: /etc/salt/minion.d/_keystone.conf
-  - source: salt://keystone/files/keystone.conf
-  - template: jinja
-
-{%- endif %}
\ No newline at end of file
+{%- endif %}
diff --git a/keystone/files/_ldap.conf b/keystone/files/_ldap.conf
index 0c27708..cabf873 100644
--- a/keystone/files/_ldap.conf
+++ b/keystone/files/_ldap.conf
@@ -1,40 +1,62 @@
 
 [ldap]
 url = {{ ldap.url }}
+{%- if ldap.get('auth', True) == True %}
+{%- if ldap.bind_user is defined %}
+user = {{ ldap.bind_user }}
+{%- else %}
 user = uid={{ ldap.get("uid", "keystone") }},cn=users,cn=accounts,{{ ldap.suffix }}
+{%- endif %}
 password = {{ ldap.password }}
+{%- endif %}
 suffix = {{ ldap.suffix }}
+query_scope = {{ ldap.get("query_scope", "one") }}
+page_size = {{ ldap.get("page_size", "0") }}
+chase_referrals = {{ ldap.get("chase_referrals", False) }}
 
 # User mapping
+{%- if ldap.user_tree_dn is defined  %}
+user_tree_dn = {{ ldap.user_tree_dn }}
+{%- else %}
 user_tree_dn = cn=users,cn=accounts,{{ ldap.suffix }}
-user_objectclass = person
-user_id_attribute = uid
-user_name_attribute = uid
-user_mail_attribute = mail
+{%- endif %}
+user_objectclass = {{ ldap.get("user_objectclass", "person") }}
+user_id_attribute = {{ ldap.get("user_id_attribute", "uid") }}
+user_name_attribute = {{ ldap.get("user_name_attribute", "uid") }}
+user_mail_attribute = {{ ldap.get("user_mail_attribute", "mail") }}
+user_pass_attribute = {{ ldap.get("user_pass_attribute", "password") }}
 {%- if ldap.get('read_only', True) %}
 user_allow_create = false
 user_allow_update = false
 user_allow_delete = false
 {%- endif %}
-user_enabled_attribute = nsAccountLock
-user_enabled_default = False
-user_enabled_invert = true
+user_enabled_attribute = {{ ldap.get("user_enabled_attribute", "nsAccountLock") }}
+user_enabled_default = {{ ldap.get("user_enabled_default", False) }}
+user_enabled_invert = {{ ldap.get("user_enabled_invert", True) }}
+user_enabled_mask = {{ ldap.get("user_enabled_mask", 0) }}
 {%- if ldap.get('filter', {}).get('user', False) %}
 user_filter = {{ ldap.filter.user }}
 {%- endif %}
 
 # Group mapping
+{%- if ldap.group_tree_dn is defined  %}
+group_tree_dn = {{ ldap.group_tree_dn }}
+{%- else %}
 group_tree_dn = cn=groups,cn=accounts,{{ ldap.suffix }}
-group_objectclass = groupOfNames
-group_id_attribute = cn
-group_name_attribute = cn
-group_member_attribute = member
-group_desc_attribute = description
+{%- endif %}
+group_objectclass = {{ ldap.get("group_objectclass", "groupOfNames") }}
+group_id_attribute = {{ ldap.get("group_id_attribute", "cn") }}
+group_name_attribute = {{ ldap.get("group_name_attribute", "cn") }}
+group_member_attribute = {{ ldap.get("group_member_attribute", "member") }}
+group_desc_attribute = {{ ldap.get("group_desc_attribute", "description") }}
 {%- if ldap.get('read_only', True) %}
 group_allow_create = false
 group_allow_update = false
 group_allow_delete = false
 {%- endif %}
+{%- if ldap.get('filter', {}).get('group', False) %}
+group_filter = {{ ldap.filter.group }}
+{%- endif %}
 
 {%- if ldap.tls is defined %}
 
diff --git a/keystone/files/grafana_dashboards/keystone_prometheus.json b/keystone/files/grafana_dashboards/keystone_prometheus.json
new file mode 100755
index 0000000..1d0e495
--- /dev/null
+++ b/keystone/files/grafana_dashboards/keystone_prometheus.json
@@ -0,0 +1,1050 @@
+{% raw %}
+{
+  "annotations": {
+    "list": []
+  },
+  "editable": true,
+  "gnetId": null,
+  "graphTooltip": 0,
+  "hideControls": false,
+  "id": null,
+  "links": [],
+  "refresh": "1m",
+  "rows": [
+    {
+      "collapse": false,
+      "height": "250px",
+      "panels": [
+        {
+          "cacheTimeout": null,
+          "colorBackground": false,
+          "colorValue": true,
+          "colors": [
+            "rgba(245, 54, 54, 0.9)",
+            "rgba(237, 129, 40, 0.89)",
+            "rgba(50, 172, 45, 0.97)"
+          ],
+          "datasource": null,
+          "format": "none",
+          "gauge": {
+            "maxValue": 1,
+            "minValue": 0,
+            "show": false,
+            "thresholdLabels": false,
+            "thresholdMarkers": true
+          },
+          "id": 1,
+          "interval": null,
+          "links": [],
+          "mappingType": 1,
+          "mappingTypes": [
+            {
+              "name": "value to text",
+              "value": 1
+            },
+            {
+              "name": "range to text",
+              "value": 2
+            }
+          ],
+          "maxDataPoints": 100,
+          "nullPointMode": "connected",
+          "nullText": null,
+          "postfix": "",
+          "postfixFontSize": "50%",
+          "prefix": "",
+          "prefixFontSize": "50%",
+          "rangeMaps": [
+            {
+              "from": "null",
+              "text": "N/A",
+              "to": "null"
+            }
+          ],
+          "span": 3,
+          "sparkline": {
+            "fillColor": "rgba(31, 118, 189, 0.18)",
+            "full": false,
+            "lineColor": "rgb(31, 120, 193)",
+            "show": true
+          },
+          "tableColumn": "",
+          "targets": [
+            {
+              "expr": "min(openstack_api_check_status{service=~\"keystone.*public.*\"})",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "{{ service }}",
+              "refId": "A",
+              "step": 60
+            }
+          ],
+          "thresholds": "1,0",
+          "title": "API Availability",
+          "type": "singlestat",
+          "valueFontSize": "80%",
+          "valueMaps": [
+            {
+              "op": "=",
+              "text": "N/A",
+              "value": "null"
+            },
+            {
+              "op": "=",
+              "text": "OK",
+              "value": "1"
+            },
+            {
+              "op": "=",
+              "text": "DOWN",
+              "value": "0"
+            }
+          ],
+          "valueName": "current"
+        },
+        {
+          "cacheTimeout": null,
+          "colorBackground": false,
+          "colorValue": false,
+          "colors": [
+            "rgba(245, 54, 54, 0.9)",
+            "rgba(237, 129, 40, 0.89)",
+            "rgba(50, 172, 45, 0.97)"
+          ],
+          "datasource": null,
+          "decimals": null,
+          "format": "none",
+          "gauge": {
+            "maxValue": 100,
+            "minValue": 0,
+            "show": false,
+            "thresholdLabels": false,
+            "thresholdMarkers": true
+          },
+          "id": 12,
+          "interval": null,
+          "links": [],
+          "mappingType": 1,
+          "mappingTypes": [
+            {
+              "name": "value to text",
+              "value": 1
+            },
+            {
+              "name": "range to text",
+              "value": 2
+            }
+          ],
+          "maxDataPoints": 100,
+          "nullPointMode": "connected",
+          "nullText": null,
+          "postfix": "/ sec",
+          "postfixFontSize": "50%",
+          "prefix": "",
+          "prefixFontSize": "50%",
+          "rangeMaps": [
+            {
+              "from": "null",
+              "text": "N/A",
+              "to": "null"
+            }
+          ],
+          "span": 3,
+          "sparkline": {
+            "fillColor": "rgba(31, 118, 189, 0.18)",
+            "full": false,
+            "lineColor": "rgb(31, 120, 193)",
+            "show": true
+          },
+          "tableColumn": "",
+          "targets": [
+            {
+              "expr": "sum(irate(haproxy_http_response_5xx{proxy=~\"keystone.*\",sv=\"FRONTEND\"}[5m]))",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "per sec",
+              "refId": "A",
+              "step": 60
+            }
+          ],
+          "thresholds": "",
+          "title": "HTTP 5xx errors",
+          "type": "singlestat",
+          "valueFontSize": "80%",
+          "valueMaps": [
+            {
+              "op": "=",
+              "text": "N/A",
+              "value": "null"
+            }
+          ],
+          "valueName": "current"
+        },
+        {
+          "cacheTimeout": null,
+          "colorBackground": false,
+          "colorValue": false,
+          "colors": [
+            "rgba(245, 54, 54, 0.9)",
+            "rgba(237, 129, 40, 0.89)",
+            "rgba(50, 172, 45, 0.97)"
+          ],
+          "datasource": null,
+          "format": "none",
+          "gauge": {
+            "maxValue": 100,
+            "minValue": 0,
+            "show": false,
+            "thresholdLabels": false,
+            "thresholdMarkers": true
+          },
+          "id": 3,
+          "interval": null,
+          "links": [],
+          "mappingType": 1,
+          "mappingTypes": [
+            {
+              "name": "value to text",
+              "value": 1
+            },
+            {
+              "name": "range to text",
+              "value": 2
+            }
+          ],
+          "maxDataPoints": 100,
+          "nullPointMode": "connected",
+          "nullText": null,
+          "postfix": "",
+          "postfixFontSize": "50%",
+          "prefix": "",
+          "prefixFontSize": "50%",
+          "rangeMaps": [
+            {
+              "from": "null",
+              "text": "N/A",
+              "to": "null"
+            }
+          ],
+          "span": 3,
+          "sparkline": {
+            "fillColor": "rgba(31, 118, 189, 0.18)",
+            "full": false,
+            "lineColor": "rgb(31, 120, 193)",
+            "show": true
+          },
+          "tableColumn": "",
+          "targets": [
+            {
+              "expr": "min(haproxy_active_servers{proxy=~\"keystone.*public.*\", sv=\"BACKEND\"})",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "",
+              "refId": "A",
+              "step": 60
+            }
+          ],
+          "thresholds": "",
+          "title": "Public API backends",
+          "type": "singlestat",
+          "valueFontSize": "80%",
+          "valueMaps": [
+            {
+              "op": "=",
+              "text": "N/A",
+              "value": "null"
+            }
+          ],
+          "valueName": "current"
+        },
+        {
+          "cacheTimeout": null,
+          "colorBackground": false,
+          "colorValue": false,
+          "colors": [
+            "rgba(245, 54, 54, 0.9)",
+            "rgba(237, 129, 40, 0.89)",
+            "rgba(50, 172, 45, 0.97)"
+          ],
+          "datasource": null,
+          "format": "none",
+          "gauge": {
+            "maxValue": 100,
+            "minValue": 0,
+            "show": false,
+            "thresholdLabels": false,
+            "thresholdMarkers": true
+          },
+          "id": 4,
+          "interval": null,
+          "links": [],
+          "mappingType": 1,
+          "mappingTypes": [
+            {
+              "name": "value to text",
+              "value": 1
+            },
+            {
+              "name": "range to text",
+              "value": 2
+            }
+          ],
+          "maxDataPoints": 100,
+          "nullPointMode": "connected",
+          "nullText": null,
+          "postfix": "",
+          "postfixFontSize": "50%",
+          "prefix": "",
+          "prefixFontSize": "50%",
+          "rangeMaps": [
+            {
+              "from": "null",
+              "text": "N/A",
+              "to": "null"
+            }
+          ],
+          "span": 3,
+          "sparkline": {
+            "fillColor": "rgba(31, 118, 189, 0.18)",
+            "full": false,
+            "lineColor": "rgb(31, 120, 193)",
+            "show": true
+          },
+          "tableColumn": "",
+          "targets": [
+            {
+              "expr": "min(haproxy_active_servers{proxy=~\"keystone.*admin.*\", sv=\"BACKEND\"})",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "",
+              "refId": "A",
+              "step": 60
+            }
+          ],
+          "thresholds": "",
+          "title": "Admin API backends",
+          "type": "singlestat",
+          "valueFontSize": "80%",
+          "valueMaps": [
+            {
+              "op": "=",
+              "text": "N/A",
+              "value": "null"
+            }
+          ],
+          "valueName": "current"
+        }
+      ],
+      "repeat": null,
+      "repeatIteration": null,
+      "repeatRowId": null,
+      "showTitle": true,
+      "title": "Service Status",
+      "titleSize": "h6"
+    },
+    {
+      "collapse": false,
+      "height": "250",
+      "panels": [
+        {
+          "aliasColors": {},
+          "bars": false,
+          "dashLength": 10,
+          "dashes": false,
+          "datasource": null,
+          "fill": 1,
+          "id": 13,
+          "legend": {
+            "avg": false,
+            "current": false,
+            "max": false,
+            "min": false,
+            "show": true,
+            "total": false,
+            "values": false
+          },
+          "lines": true,
+          "linewidth": 1,
+          "links": [],
+          "nullPointMode": "null",
+          "percentage": false,
+          "pointradius": 5,
+          "points": false,
+          "renderer": "flot",
+          "seriesOverrides": [],
+          "spaceLength": 10,
+          "span": 6,
+          "stack": false,
+          "steppedLine": false,
+          "targets": [
+            {
+              "expr": "sum(openstack_keystone_http_response_times_rate{host=~\"^$host$\"})  by (http_status)",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "{{ http_status }}",
+              "refId": "A",
+              "step": 10
+            }
+          ],
+          "thresholds": [],
+          "timeFrom": null,
+          "timeShift": null,
+          "title": "Throughput",
+          "tooltip": {
+            "shared": true,
+            "sort": 0,
+            "value_type": "individual"
+          },
+          "type": "graph",
+          "xaxis": {
+            "buckets": null,
+            "mode": "time",
+            "name": null,
+            "show": true,
+            "values": []
+          },
+          "yaxes": [
+            {
+              "format": "ops",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": "0",
+              "show": true
+            },
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            }
+          ]
+        },
+        {
+          "aliasColors": {},
+          "bars": false,
+          "dashLength": 10,
+          "dashes": false,
+          "datasource": null,
+          "fill": 1,
+          "id": 14,
+          "legend": {
+            "avg": false,
+            "current": false,
+            "max": false,
+            "min": false,
+            "show": true,
+            "total": false,
+            "values": false
+          },
+          "lines": true,
+          "linewidth": 1,
+          "links": [],
+          "nullPointMode": "null",
+          "percentage": false,
+          "pointradius": 5,
+          "points": false,
+          "renderer": "flot",
+          "seriesOverrides": [],
+          "spaceLength": 10,
+          "span": 6,
+          "stack": false,
+          "steppedLine": false,
+          "targets": [
+            {
+              "expr": "max(openstack_keystone_http_response_times_upper_90{host=~\"^$host$\"})  by (http_method)",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "{{ http_method }}",
+              "refId": "A",
+              "step": 10
+            }
+          ],
+          "thresholds": [],
+          "timeFrom": null,
+          "timeShift": null,
+          "title": "Latency",
+          "tooltip": {
+            "shared": true,
+            "sort": 0,
+            "value_type": "individual"
+          },
+          "type": "graph",
+          "xaxis": {
+            "buckets": null,
+            "mode": "time",
+            "name": null,
+            "show": true,
+            "values": []
+          },
+          "yaxes": [
+            {
+              "format": "s",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": "0",
+              "show": true
+            },
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            }
+          ]
+        }
+      ],
+      "repeat": null,
+      "repeatIteration": null,
+      "repeatRowId": null,
+      "showTitle": true,
+      "title": "API Performances",
+      "titleSize": "h6"
+    },
+    {
+      "collapse": false,
+      "height": 250,
+      "panels": [
+        {
+          "cacheTimeout": null,
+          "colorBackground": false,
+          "colorValue": false,
+          "colors": [
+            "rgba(245, 54, 54, 0.9)",
+            "rgba(237, 129, 40, 0.89)",
+            "rgba(50, 172, 45, 0.97)"
+          ],
+          "datasource": null,
+          "format": "none",
+          "gauge": {
+            "maxValue": 100,
+            "minValue": 0,
+            "show": false,
+            "thresholdLabels": false,
+            "thresholdMarkers": true
+          },
+          "id": 7,
+          "interval": null,
+          "links": [],
+          "mappingType": 1,
+          "mappingTypes": [
+            {
+              "name": "value to text",
+              "value": 1
+            },
+            {
+              "name": "range to text",
+              "value": 2
+            }
+          ],
+          "maxDataPoints": 100,
+          "nullPointMode": "connected",
+          "nullText": null,
+          "postfix": "",
+          "postfixFontSize": "50%",
+          "prefix": "",
+          "prefixFontSize": "50%",
+          "rangeMaps": [
+            {
+              "from": "null",
+              "text": "N/A",
+              "to": "null"
+            }
+          ],
+          "span": 2,
+          "sparkline": {
+            "fillColor": "rgba(31, 118, 189, 0.18)",
+            "full": false,
+            "lineColor": "rgb(31, 120, 193)",
+            "show": false
+          },
+          "tableColumn": "",
+          "targets": [
+            {
+              "expr": "max(openstack_keystone_users{state=\"enabled\"})",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "",
+              "metric": "openstack_keystone_users_total",
+              "refId": "A",
+              "step": 60
+            }
+          ],
+          "thresholds": "",
+          "title": "Active Users",
+          "type": "singlestat",
+          "valueFontSize": "80%",
+          "valueMaps": [
+            {
+              "op": "=",
+              "text": "N/A",
+              "value": "null"
+            }
+          ],
+          "valueName": "current"
+        },
+        {
+          "cacheTimeout": null,
+          "colorBackground": false,
+          "colorValue": false,
+          "colors": [
+            "rgba(245, 54, 54, 0.9)",
+            "rgba(237, 129, 40, 0.89)",
+            "rgba(50, 172, 45, 0.97)"
+          ],
+          "datasource": null,
+          "format": "none",
+          "gauge": {
+            "maxValue": 100,
+            "minValue": 0,
+            "show": false,
+            "thresholdLabels": false,
+            "thresholdMarkers": true
+          },
+          "id": 8,
+          "interval": null,
+          "links": [],
+          "mappingType": 1,
+          "mappingTypes": [
+            {
+              "name": "value to text",
+              "value": 1
+            },
+            {
+              "name": "range to text",
+              "value": 2
+            }
+          ],
+          "maxDataPoints": 100,
+          "nullPointMode": "connected",
+          "nullText": null,
+          "postfix": "",
+          "postfixFontSize": "50%",
+          "prefix": "",
+          "prefixFontSize": "50%",
+          "rangeMaps": [
+            {
+              "from": "null",
+              "text": "N/A",
+              "to": "null"
+            }
+          ],
+          "span": 2,
+          "sparkline": {
+            "fillColor": "rgba(31, 118, 189, 0.18)",
+            "full": false,
+            "lineColor": "rgb(31, 120, 193)",
+            "show": false
+          },
+          "tableColumn": "",
+          "targets": [
+            {
+              "expr": "max(openstack_keystone_users{state=\"disabled\"})",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "",
+              "metric": "openstack_keystone_users_total",
+              "refId": "A",
+              "step": 60
+            }
+          ],
+          "thresholds": "",
+          "title": "Disabled Users",
+          "type": "singlestat",
+          "valueFontSize": "80%",
+          "valueMaps": [
+            {
+              "op": "=",
+              "text": "N/A",
+              "value": "null"
+            }
+          ],
+          "valueName": "current"
+        },
+        {
+          "aliasColors": {},
+          "bars": false,
+          "dashLength": 10,
+          "dashes": false,
+          "datasource": null,
+          "fill": 1,
+          "id": 6,
+          "legend": {
+            "avg": false,
+            "current": false,
+            "max": false,
+            "min": false,
+            "show": true,
+            "total": false,
+            "values": false
+          },
+          "lines": true,
+          "linewidth": 1,
+          "links": [],
+          "nullPointMode": "null",
+          "percentage": false,
+          "pointradius": 5,
+          "points": false,
+          "renderer": "flot",
+          "seriesOverrides": [],
+          "spaceLength": 10,
+          "span": 8,
+          "stack": false,
+          "steppedLine": false,
+          "targets": [
+            {
+              "expr": "max(openstack_keystone_users) by (state)",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "{{ state }}",
+              "metric": "openstack_keystone_users",
+              "refId": "A",
+              "step": 4
+            }
+          ],
+          "thresholds": [],
+          "timeFrom": null,
+          "timeShift": null,
+          "title": "Users",
+          "tooltip": {
+            "shared": true,
+            "sort": 0,
+            "value_type": "individual"
+          },
+          "type": "graph",
+          "xaxis": {
+            "buckets": null,
+            "mode": "time",
+            "name": null,
+            "show": true,
+            "values": []
+          },
+          "yaxes": [
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            },
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            }
+          ]
+        },
+        {
+          "cacheTimeout": null,
+          "colorBackground": false,
+          "colorValue": false,
+          "colors": [
+            "rgba(245, 54, 54, 0.9)",
+            "rgba(237, 129, 40, 0.89)",
+            "rgba(50, 172, 45, 0.97)"
+          ],
+          "datasource": null,
+          "format": "none",
+          "gauge": {
+            "maxValue": 100,
+            "minValue": 0,
+            "show": false,
+            "thresholdLabels": false,
+            "thresholdMarkers": true
+          },
+          "id": 9,
+          "interval": null,
+          "links": [],
+          "mappingType": 1,
+          "mappingTypes": [
+            {
+              "name": "value to text",
+              "value": 1
+            },
+            {
+              "name": "range to text",
+              "value": 2
+            }
+          ],
+          "maxDataPoints": 100,
+          "nullPointMode": "connected",
+          "nullText": null,
+          "postfix": "",
+          "postfixFontSize": "50%",
+          "prefix": "",
+          "prefixFontSize": "50%",
+          "rangeMaps": [
+            {
+              "from": "null",
+              "text": "N/A",
+              "to": "null"
+            }
+          ],
+          "span": 2,
+          "sparkline": {
+            "fillColor": "rgba(31, 118, 189, 0.18)",
+            "full": false,
+            "lineColor": "rgb(31, 120, 193)",
+            "show": false
+          },
+          "tableColumn": "",
+          "targets": [
+            {
+              "expr": "max(openstack_keystone_tenants{state=\"enabled\"})",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "",
+              "metric": "",
+              "refId": "A",
+              "step": 60
+            }
+          ],
+          "thresholds": "",
+          "title": "Active Tenants",
+          "type": "singlestat",
+          "valueFontSize": "80%",
+          "valueMaps": [
+            {
+              "op": "=",
+              "text": "N/A",
+              "value": "null"
+            }
+          ],
+          "valueName": "current"
+        },
+        {
+          "cacheTimeout": null,
+          "colorBackground": false,
+          "colorValue": false,
+          "colors": [
+            "rgba(245, 54, 54, 0.9)",
+            "rgba(237, 129, 40, 0.89)",
+            "rgba(50, 172, 45, 0.97)"
+          ],
+          "datasource": null,
+          "format": "none",
+          "gauge": {
+            "maxValue": 100,
+            "minValue": 0,
+            "show": false,
+            "thresholdLabels": false,
+            "thresholdMarkers": true
+          },
+          "id": 10,
+          "interval": null,
+          "links": [],
+          "mappingType": 1,
+          "mappingTypes": [
+            {
+              "name": "value to text",
+              "value": 1
+            },
+            {
+              "name": "range to text",
+              "value": 2
+            }
+          ],
+          "maxDataPoints": 100,
+          "nullPointMode": "connected",
+          "nullText": null,
+          "postfix": "",
+          "postfixFontSize": "50%",
+          "prefix": "",
+          "prefixFontSize": "50%",
+          "rangeMaps": [
+            {
+              "from": "null",
+              "text": "N/A",
+              "to": "null"
+            }
+          ],
+          "span": 2,
+          "sparkline": {
+            "fillColor": "rgba(31, 118, 189, 0.18)",
+            "full": false,
+            "lineColor": "rgb(31, 120, 193)",
+            "show": false
+          },
+          "tableColumn": "",
+          "targets": [
+            {
+              "expr": "max(openstack_keystone_tenants{state=\"disabled\"})",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "",
+              "metric": "openstack_keystone_users_total",
+              "refId": "A",
+              "step": 60
+            }
+          ],
+          "thresholds": "",
+          "title": "Disabled Tenants",
+          "type": "singlestat",
+          "valueFontSize": "80%",
+          "valueMaps": [
+            {
+              "op": "=",
+              "text": "N/A",
+              "value": "null"
+            }
+          ],
+          "valueName": "current"
+        },
+        {
+          "aliasColors": {},
+          "bars": false,
+          "dashLength": 10,
+          "dashes": false,
+          "datasource": null,
+          "fill": 1,
+          "id": 11,
+          "legend": {
+            "avg": false,
+            "current": false,
+            "max": false,
+            "min": false,
+            "show": true,
+            "total": false,
+            "values": false
+          },
+          "lines": true,
+          "linewidth": 1,
+          "links": [],
+          "nullPointMode": "null",
+          "percentage": false,
+          "pointradius": 5,
+          "points": false,
+          "renderer": "flot",
+          "seriesOverrides": [],
+          "spaceLength": 10,
+          "span": 8,
+          "stack": false,
+          "steppedLine": false,
+          "targets": [
+            {
+              "expr": "max(openstack_keystone_tenants) by (state)",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "{{ state }}",
+              "metric": "openstack_keystone_users",
+              "refId": "A",
+              "step": 4
+            }
+          ],
+          "thresholds": [],
+          "timeFrom": null,
+          "timeShift": null,
+          "title": "Tenants",
+          "tooltip": {
+            "shared": true,
+            "sort": 0,
+            "value_type": "individual"
+          },
+          "type": "graph",
+          "xaxis": {
+            "buckets": null,
+            "mode": "time",
+            "name": null,
+            "show": true,
+            "values": []
+          },
+          "yaxes": [
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            },
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            }
+          ]
+        }
+      ],
+      "repeat": null,
+      "repeatIteration": null,
+      "repeatRowId": null,
+      "showTitle": true,
+      "title": "Resources",
+      "titleSize": "h6"
+    }
+  ],
+  "schemaVersion": 14,
+  "sharedCrosshair": true,
+  "style": "dark",
+  "tags": [],
+  "templating": {
+    "list": [
+      {
+        "allValue": null,
+        "current": {},
+        "datasource": "prometheus",
+        "hide": 0,
+        "includeAll": true,
+        "label": null,
+        "multi": true,
+        "name": "host",
+        "options": [],
+        "query": "label_values(openstack_keystone_http_response_times_count,host)",
+        "refresh": 1,
+        "refresh_on_load": true,
+        "regex": "",
+        "sort": 1,
+        "tagValuesQuery": "",
+        "tags": [],
+        "tagsQuery": "",
+        "type": "query",
+        "useTags": false
+      }
+    ]
+  },
+  "time": {
+    "from": "now-1h",
+    "to": "now"
+  },
+  "timepicker": {
+    "refresh_intervals": [
+      "5s",
+      "10s",
+      "30s",
+      "1m",
+      "5m",
+      "15m",
+      "30m",
+      "1h",
+      "2h",
+      "1d"
+    ],
+    "time_options": [
+      "5m",
+      "15m",
+      "1h",
+      "6h",
+      "12h",
+      "24h",
+      "2d",
+      "7d",
+      "30d"
+    ]
+  },
+  "timezone": "browser",
+  "title": "Keystone",
+  "version": 29
+}
+{% endraw %}
diff --git a/keystone/files/juno/keystone.conf.Debian b/keystone/files/juno/keystone.conf.Debian
index 4d2b9a8..fa7a75e 100644
--- a/keystone/files/juno/keystone.conf.Debian
+++ b/keystone/files/juno/keystone.conf.Debian
@@ -79,7 +79,7 @@
 # Enforced by optional sizelimit middleware
 # (keystone.middleware:RequestBodySizeLimiter). (integer
 # value)
-#max_request_body_size=114688
+max_request_body_size= {{ server.max_request_body_size }}
 
 # Limit the sizes of user & project ID/names. (integer value)
 #max_param_size=64
@@ -1625,6 +1625,7 @@
 # configured with the hash_algorithms, otherwise token
 # revocation will not be processed correctly. (string value)
 #hash_algorithm=md5
+hash_algorithm = {{ server.hash_algorithm }}
 
 
 [trust]
diff --git a/keystone/files/juno/policy-v2.json b/keystone/files/juno/policy-v2.json
deleted file mode 100644
index af65205..0000000
--- a/keystone/files/juno/policy-v2.json
+++ /dev/null
@@ -1,171 +0,0 @@
-{
-    "admin_required": "role:admin or is_admin:1",
-    "service_role": "role:service",
-    "service_or_admin": "rule:admin_required or rule:service_role",
-    "owner" : "user_id:%(user_id)s",
-    "admin_or_owner": "rule:admin_required or rule:owner",
-
-    "default": "rule:admin_required",
-
-    "identity:get_region": "",
-    "identity:list_regions": "",
-    "identity:create_region": "rule:admin_required",
-    "identity:update_region": "rule:admin_required",
-    "identity:delete_region": "rule:admin_required",
-
-    "identity:get_service": "rule:admin_required",
-    "identity:list_services": "rule:admin_required",
-    "identity:create_service": "rule:admin_required",
-    "identity:update_service": "rule:admin_required",
-    "identity:delete_service": "rule:admin_required",
-
-    "identity:get_endpoint": "rule:admin_required",
-    "identity:list_endpoints": "rule:admin_required",
-    "identity:create_endpoint": "rule:admin_required",
-    "identity:update_endpoint": "rule:admin_required",
-    "identity:delete_endpoint": "rule:admin_required",
-
-    "identity:get_domain": "rule:admin_required",
-    "identity:list_domains": "rule:admin_required",
-    "identity:create_domain": "rule:admin_required",
-    "identity:update_domain": "rule:admin_required",
-    "identity:delete_domain": "rule:admin_required",
-
-    "identity:get_project": "rule:admin_required",
-    "identity:list_projects": "rule:admin_required",
-    "identity:list_user_projects": "rule:admin_or_owner",
-    "identity:create_project": "rule:admin_required",
-    "identity:update_project": "rule:admin_required",
-    "identity:delete_project": "rule:admin_required",
-
-    "identity:get_user": "rule:admin_required",
-    "identity:list_users": "rule:admin_required",
-    "identity:create_user": "rule:admin_required",
-    "identity:update_user": "rule:admin_required",
-    "identity:delete_user": "rule:admin_required",
-    "identity:change_password": "rule:admin_or_owner",
-
-    "identity:get_group": "rule:admin_required",
-    "identity:list_groups": "rule:admin_required",
-    "identity:list_groups_for_user": "rule:admin_or_owner",
-    "identity:create_group": "rule:admin_required",
-    "identity:update_group": "rule:admin_required",
-    "identity:delete_group": "rule:admin_required",
-    "identity:list_users_in_group": "rule:admin_required",
-    "identity:remove_user_from_group": "rule:admin_required",
-    "identity:check_user_in_group": "rule:admin_required",
-    "identity:add_user_to_group": "rule:admin_required",
-
-    "identity:get_credential": "rule:admin_required",
-    "identity:list_credentials": "rule:admin_required",
-    "identity:create_credential": "rule:admin_required",
-    "identity:update_credential": "rule:admin_required",
-    "identity:delete_credential": "rule:admin_required",
-
-    "identity:ec2_get_credential": "rule:admin_or_owner",
-    "identity:ec2_list_credentials": "rule:admin_or_owner",
-    "identity:ec2_create_credential": "rule:admin_or_owner",
-    "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-
-    "identity:get_role": "rule:admin_required",
-    "identity:list_roles": "rule:admin_required",
-    "identity:create_role": "rule:admin_required",
-    "identity:update_role": "rule:admin_required",
-    "identity:delete_role": "rule:admin_required",
-
-    "identity:check_grant": "rule:admin_required",
-    "identity:list_grants": "rule:admin_required",
-    "identity:create_grant": "rule:admin_required",
-    "identity:revoke_grant": "rule:admin_required",
-
-    "identity:list_role_assignments": "rule:admin_required",
-
-    "identity:get_policy": "rule:admin_required",
-    "identity:list_policies": "rule:admin_required",
-    "identity:create_policy": "rule:admin_required",
-    "identity:update_policy": "rule:admin_required",
-    "identity:delete_policy": "rule:admin_required",
-
-    "identity:check_token": "rule:admin_required",
-    "identity:validate_token": "rule:service_or_admin",
-    "identity:validate_token_head": "rule:service_or_admin",
-    "identity:revocation_list": "rule:service_or_admin",
-    "identity:revoke_token": "rule:admin_or_owner",
-
-    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
-    "identity:get_trust": "rule:admin_or_owner",
-    "identity:list_trusts": "",
-    "identity:list_roles_for_trust": "",
-    "identity:check_role_for_trust": "",
-    "identity:get_role_for_trust": "",
-    "identity:delete_trust": "",
-
-    "identity:create_consumer": "rule:admin_required",
-    "identity:get_consumer": "rule:admin_required",
-    "identity:list_consumers": "rule:admin_required",
-    "identity:delete_consumer": "rule:admin_required",
-    "identity:update_consumer": "rule:admin_required",
-
-    "identity:authorize_request_token": "rule:admin_required",
-    "identity:list_access_token_roles": "rule:admin_required",
-    "identity:get_access_token_role": "rule:admin_required",
-    "identity:list_access_tokens": "rule:admin_required",
-    "identity:get_access_token": "rule:admin_required",
-    "identity:delete_access_token": "rule:admin_required",
-
-    "identity:list_projects_for_endpoint": "rule:admin_required",
-    "identity:add_endpoint_to_project": "rule:admin_required",
-    "identity:check_endpoint_in_project": "rule:admin_required",
-    "identity:list_endpoints_for_project": "rule:admin_required",
-    "identity:remove_endpoint_from_project": "rule:admin_required",
-
-    "identity:create_endpoint_group": "rule:admin_required",
-    "identity:list_endpoint_groups": "rule:admin_required",
-    "identity:get_endpoint_group": "rule:admin_required",
-    "identity:update_endpoint_group": "rule:admin_required",
-    "identity:delete_endpoint_group": "rule:admin_required",
-    "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
-    "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
-    "identity:list_endpoint_groups_for_project": "rule:admin_required",
-    "identity:add_endpoint_group_to_project": "rule:admin_required",
-    "identity:remove_endpoint_group_from_project": "rule:admin_required",
-
-    "identity:create_identity_provider": "rule:admin_required",
-    "identity:list_identity_providers": "rule:admin_required",
-    "identity:get_identity_providers": "rule:admin_required",
-    "identity:update_identity_provider": "rule:admin_required",
-    "identity:delete_identity_provider": "rule:admin_required",
-
-    "identity:create_protocol": "rule:admin_required",
-    "identity:update_protocol": "rule:admin_required",
-    "identity:get_protocol": "rule:admin_required",
-    "identity:list_protocols": "rule:admin_required",
-    "identity:delete_protocol": "rule:admin_required",
-
-    "identity:create_mapping": "rule:admin_required",
-    "identity:get_mapping": "rule:admin_required",
-    "identity:list_mappings": "rule:admin_required",
-    "identity:delete_mapping": "rule:admin_required",
-    "identity:update_mapping": "rule:admin_required",
-
-    "identity:get_auth_catalog": "",
-    "identity:get_auth_projects": "",
-    "identity:get_auth_domains": "",
-
-    "identity:list_projects_for_groups": "",
-    "identity:list_domains_for_groups": "",
-
-    "identity:list_revoke_events": "",
-
-    "identity:create_policy_association_for_endpoint": "rule:admin_required",
-    "identity:check_policy_association_for_endpoint": "rule:admin_required",
-    "identity:delete_policy_association_for_endpoint": "rule:admin_required",
-    "identity:create_policy_association_for_service": "rule:admin_required",
-    "identity:check_policy_association_for_service": "rule:admin_required",
-    "identity:delete_policy_association_for_service": "rule:admin_required",
-    "identity:create_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:check_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:get_policy_for_endpoint": "rule:admin_required",
-    "identity:list_endpoints_for_policy": "rule:admin_required"
-}
diff --git a/keystone/files/keystone.conf b/keystone/files/keystone.conf
deleted file mode 100644
index e6c9de2..0000000
--- a/keystone/files/keystone.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-{%- from "keystone/map.jinja" import client with context %}
-{%- for profile_name, identity in client.server.iteritems() %}
-
-{%- if identity.admin.get('protocol', 'http') == 'http' %}
-{%- set protocol = 'http' %}
-{%- else %}
-{%- set protocol = 'https' %}
-{%- endif %}
-
-{%- if identity.admin.get('api_version', '2') == '3' %}
-{%- set version = "v3" %}
-{%- else %}
-{%- set version = "v2.0" %}
-{%- endif %}
-
-{%- if identity.admin.user is defined %}
-
-{%- if identity.admin.token is not defined %}
-
-{{ profile_name }}:
-  keystone.user: '{{ identity.admin.user }}'
-  keystone.password: '{{ identity.admin.password }}'
-  keystone.tenant: '{{ identity.admin.project }}'
-  keystone.auth_url: '{{ protocol+'://'+identity.admin.host+':'+identity.admin.port|string+'/'+version }}'
-  keystone.region_name: '{{ identity.admin.region_name }}'
-
-{%- endif %}
-
-{%- endif %}
-
-{%- endfor %}
diff --git a/keystone/files/keystone.domain.conf b/keystone/files/keystone.domain.conf
index 00b6200..46408eb 100644
--- a/keystone/files/keystone.domain.conf
+++ b/keystone/files/keystone.domain.conf
@@ -12,6 +12,9 @@
 {%- else %}
 driver = keystone.identity.backends.sql.Identity
 {%- endif %}
+{%- if domain.get('identity',{}).list_limit is defined %}
+list_limit = {{ domain.identity.list_limit }}
+{%- endif %}
 
 [assignment]
 {%- if domain.get("assignment", {}).get("backend", "sql") == "ldap" %}
diff --git a/keystone/files/keystonercv3 b/keystone/files/keystonercv3
index 4152b58..9da173c 100644
--- a/keystone/files/keystonercv3
+++ b/keystone/files/keystonercv3
@@ -1,8 +1,8 @@
 {%- from "keystone/map.jinja" import server with context %}
 export OS_IDENTITY_API_VERSION=3
 export OS_AUTH_URL=http://{{ server.bind.private_address }}:{{ server.bind.private_port }}/v3
-export OS_PROJECT_DOMAIN_NAME=default
-export OS_USER_DOMAIN_NAME=default
+export OS_PROJECT_DOMAIN_NAME=Default
+export OS_USER_DOMAIN_NAME=Default
 export OS_PROJECT_NAME={{ server.admin_tenant }}
 export OS_TENANT_NAME={{ server.admin_tenant }}
 export OS_USERNAME={{ server.admin_name }}
diff --git a/keystone/files/kilo/keystone.conf.Debian b/keystone/files/kilo/keystone.conf.Debian
index 0e59b15..09e0cec 100644
--- a/keystone/files/kilo/keystone.conf.Debian
+++ b/keystone/files/kilo/keystone.conf.Debian
@@ -1151,7 +1151,7 @@
 # The maximum body size for each  request, in bytes. (integer value)
 # Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
 # Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
 
 
 [oslo_policy]
@@ -1458,6 +1458,7 @@
 # middleware must be configured with the hash_algorithms, otherwise token
 # revocation will not be processed correctly. (string value)
 #hash_algorithm = md5
+hash_algorithm = {{ server.hash_algorithm }}
 
 
 [trust]
diff --git a/keystone/files/kilo/policy-v2.json b/keystone/files/kilo/policy-v2.json
deleted file mode 100644
index 2b88c53..0000000
--- a/keystone/files/kilo/policy-v2.json
+++ /dev/null
@@ -1,184 +0,0 @@
-{
-    "admin_required": "role:admin or is_admin:1",
-    "service_role": "role:service",
-    "service_or_admin": "rule:admin_required or rule:service_role",
-    "owner" : "user_id:%(user_id)s",
-    "admin_or_owner": "rule:admin_required or rule:owner",
-    "token_subject": "user_id:%(target.token.user_id)s",
-    "admin_or_token_subject": "rule:admin_required or rule:token_subject",
-    "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
-
-    "default": "rule:admin_required",
-
-    "identity:get_region": "",
-    "identity:list_regions": "",
-    "identity:create_region": "rule:admin_required",
-    "identity:update_region": "rule:admin_required",
-    "identity:delete_region": "rule:admin_required",
-
-    "identity:get_service": "rule:admin_required",
-    "identity:list_services": "rule:admin_required",
-    "identity:create_service": "rule:admin_required",
-    "identity:update_service": "rule:admin_required",
-    "identity:delete_service": "rule:admin_required",
-
-    "identity:get_endpoint": "rule:admin_required",
-    "identity:list_endpoints": "rule:admin_required",
-    "identity:create_endpoint": "rule:admin_required",
-    "identity:update_endpoint": "rule:admin_required",
-    "identity:delete_endpoint": "rule:admin_required",
-
-    "identity:get_domain": "rule:admin_required",
-    "identity:list_domains": "rule:admin_required",
-    "identity:create_domain": "rule:admin_required",
-    "identity:update_domain": "rule:admin_required",
-    "identity:delete_domain": "rule:admin_required",
-
-    "identity:get_project": "rule:admin_required",
-    "identity:list_projects": "rule:admin_required",
-    "identity:list_user_projects": "rule:admin_or_owner",
-    "identity:create_project": "rule:admin_required",
-    "identity:update_project": "rule:admin_required",
-    "identity:delete_project": "rule:admin_required",
-
-    "identity:get_user": "rule:admin_required",
-    "identity:list_users": "rule:admin_required",
-    "identity:create_user": "rule:admin_required",
-    "identity:update_user": "rule:admin_required",
-    "identity:delete_user": "rule:admin_required",
-    "identity:change_password": "rule:admin_or_owner",
-
-    "identity:get_group": "rule:admin_required",
-    "identity:list_groups": "rule:admin_required",
-    "identity:list_groups_for_user": "rule:admin_or_owner",
-    "identity:create_group": "rule:admin_required",
-    "identity:update_group": "rule:admin_required",
-    "identity:delete_group": "rule:admin_required",
-    "identity:list_users_in_group": "rule:admin_required",
-    "identity:remove_user_from_group": "rule:admin_required",
-    "identity:check_user_in_group": "rule:admin_required",
-    "identity:add_user_to_group": "rule:admin_required",
-
-    "identity:get_credential": "rule:admin_required",
-    "identity:list_credentials": "rule:admin_required",
-    "identity:create_credential": "rule:admin_required",
-    "identity:update_credential": "rule:admin_required",
-    "identity:delete_credential": "rule:admin_required",
-
-    "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-    "identity:ec2_list_credentials": "rule:admin_or_owner",
-    "identity:ec2_create_credential": "rule:admin_or_owner",
-    "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-
-    "identity:get_role": "rule:admin_required",
-    "identity:list_roles": "rule:admin_required",
-    "identity:create_role": "rule:admin_required",
-    "identity:update_role": "rule:admin_required",
-    "identity:delete_role": "rule:admin_required",
-
-    "identity:check_grant": "rule:admin_required",
-    "identity:list_grants": "rule:admin_required",
-    "identity:create_grant": "rule:admin_required",
-    "identity:revoke_grant": "rule:admin_required",
-
-    "identity:list_role_assignments": "rule:admin_required",
-
-    "identity:get_policy": "rule:admin_required",
-    "identity:list_policies": "rule:admin_required",
-    "identity:create_policy": "rule:admin_required",
-    "identity:update_policy": "rule:admin_required",
-    "identity:delete_policy": "rule:admin_required",
-
-    "identity:check_token": "rule:admin_or_token_subject",
-    "identity:validate_token": "rule:service_admin_or_token_subject",
-    "identity:validate_token_head": "rule:service_or_admin",
-    "identity:revocation_list": "rule:service_or_admin",
-    "identity:revoke_token": "rule:admin_or_token_subject",
-
-    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
-    "identity:list_trusts": "",
-    "identity:list_roles_for_trust": "",
-    "identity:get_role_for_trust": "",
-    "identity:delete_trust": "",
-
-    "identity:create_consumer": "rule:admin_required",
-    "identity:get_consumer": "rule:admin_required",
-    "identity:list_consumers": "rule:admin_required",
-    "identity:delete_consumer": "rule:admin_required",
-    "identity:update_consumer": "rule:admin_required",
-
-    "identity:authorize_request_token": "rule:admin_required",
-    "identity:list_access_token_roles": "rule:admin_required",
-    "identity:get_access_token_role": "rule:admin_required",
-    "identity:list_access_tokens": "rule:admin_required",
-    "identity:get_access_token": "rule:admin_required",
-    "identity:delete_access_token": "rule:admin_required",
-
-    "identity:list_projects_for_endpoint": "rule:admin_required",
-    "identity:add_endpoint_to_project": "rule:admin_required",
-    "identity:check_endpoint_in_project": "rule:admin_required",
-    "identity:list_endpoints_for_project": "rule:admin_required",
-    "identity:remove_endpoint_from_project": "rule:admin_required",
-
-    "identity:create_endpoint_group": "rule:admin_required",
-    "identity:list_endpoint_groups": "rule:admin_required",
-    "identity:get_endpoint_group": "rule:admin_required",
-    "identity:update_endpoint_group": "rule:admin_required",
-    "identity:delete_endpoint_group": "rule:admin_required",
-    "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
-    "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
-    "identity:get_endpoint_group_in_project": "rule:admin_required",
-    "identity:list_endpoint_groups_for_project": "rule:admin_required",
-    "identity:add_endpoint_group_to_project": "rule:admin_required",
-    "identity:remove_endpoint_group_from_project": "rule:admin_required",
-
-    "identity:create_identity_provider": "rule:admin_required",
-    "identity:list_identity_providers": "rule:admin_required",
-    "identity:get_identity_providers": "rule:admin_required",
-    "identity:update_identity_provider": "rule:admin_required",
-    "identity:delete_identity_provider": "rule:admin_required",
-
-    "identity:create_protocol": "rule:admin_required",
-    "identity:update_protocol": "rule:admin_required",
-    "identity:get_protocol": "rule:admin_required",
-    "identity:list_protocols": "rule:admin_required",
-    "identity:delete_protocol": "rule:admin_required",
-
-    "identity:create_mapping": "rule:admin_required",
-    "identity:get_mapping": "rule:admin_required",
-    "identity:list_mappings": "rule:admin_required",
-    "identity:delete_mapping": "rule:admin_required",
-    "identity:update_mapping": "rule:admin_required",
-
-    "identity:create_service_provider": "rule:admin_required",
-    "identity:list_service_providers": "rule:admin_required",
-    "identity:get_service_provider": "rule:admin_required",
-    "identity:update_service_provider": "rule:admin_required",
-    "identity:delete_service_provider": "rule:admin_required",
-
-    "identity:get_auth_catalog": "",
-    "identity:get_auth_projects": "",
-    "identity:get_auth_domains": "",
-
-    "identity:list_projects_for_groups": "",
-    "identity:list_domains_for_groups": "",
-
-    "identity:list_revoke_events": "",
-
-    "identity:create_policy_association_for_endpoint": "rule:admin_required",
-    "identity:check_policy_association_for_endpoint": "rule:admin_required",
-    "identity:delete_policy_association_for_endpoint": "rule:admin_required",
-    "identity:create_policy_association_for_service": "rule:admin_required",
-    "identity:check_policy_association_for_service": "rule:admin_required",
-    "identity:delete_policy_association_for_service": "rule:admin_required",
-    "identity:create_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:check_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:get_policy_for_endpoint": "rule:admin_required",
-    "identity:list_endpoints_for_policy": "rule:admin_required",
-
-    "identity:create_domain_config": "rule:admin_required",
-    "identity:get_domain_config": "rule:admin_required",
-    "identity:update_domain_config": "rule:admin_required",
-    "identity:delete_domain_config": "rule:admin_required"
-}
\ No newline at end of file
diff --git a/keystone/files/kilo/policy-v3.json b/keystone/files/kilo/policy-v3.json
deleted file mode 100644
index d0e3e64..0000000
--- a/keystone/files/kilo/policy-v3.json
+++ /dev/null
@@ -1,195 +0,0 @@
-{
-    "admin_required": "role:admin",
-    "cloud_admin": "rule:admin_required and domain_id:default",
-    "service_role": "role:service",
-    "service_or_admin": "rule:admin_required or rule:service_role",
-    "owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
-    "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
-    "admin_or_cloud_admin": "rule:admin_required or rule:cloud_admin",
-    "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
-    "service_admin_or_owner": "rule:service_or_admin or rule:owner",
-
-    "default": "rule:admin_required",
-
-    "identity:get_region": "",
-    "identity:list_regions": "",
-    "identity:create_region": "rule:cloud_admin",
-    "identity:update_region": "rule:cloud_admin",
-    "identity:delete_region": "rule:cloud_admin",
-
-    "identity:get_service": "rule:admin_or_cloud_admin",
-    "identity:list_services": "rule:admin_or_cloud_admin",
-    "identity:create_service": "rule:cloud_admin",
-    "identity:update_service": "rule:cloud_admin",
-    "identity:delete_service": "rule:cloud_admin",
-
-    "identity:get_endpoint": "rule:admin_or_cloud_admin",
-    "identity:list_endpoints": "rule:admin_or_cloud_admin",
-    "identity:create_endpoint": "rule:cloud_admin",
-    "identity:update_endpoint": "rule:cloud_admin",
-    "identity:delete_endpoint": "rule:cloud_admin",
-
-    "identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id",
-    "identity:list_domains": "rule:cloud_admin",
-    "identity:create_domain": "rule:cloud_admin",
-    "identity:update_domain": "rule:cloud_admin",
-    "identity:delete_domain": "rule:cloud_admin",
-
-    "admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
-    "admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
-    "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
-    "identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",
-    "identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
-    "identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
-    "identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
-    "identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
-
-    "admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
-    "admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s",
-    "identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
-    "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
-    "identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
-    "identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
-    "identity:delete_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
-
-    "admin_and_matching_target_group_domain_id": "rule:admin_required and domain_id:%(target.group.domain_id)s",
-    "admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s",
-    "identity:get_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id",
-    "identity:list_groups_for_user": "rule:owner or rule:admin_and_matching_domain_id",
-    "identity:create_group": "rule:cloud_admin or rule:admin_and_matching_group_domain_id",
-    "identity:update_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:delete_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:list_users_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:remove_user_from_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-
-    "identity:get_credential": "rule:admin_required",
-    "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
-    "identity:create_credential": "rule:admin_required",
-    "identity:update_credential": "rule:admin_required",
-    "identity:delete_credential": "rule:admin_required",
-
-    "identity:ec2_get_credential": "rule:admin_or_cloud_admin or (rule:owner and user_id:%(target.credential.user_id)s)",
-    "identity:ec2_list_credentials": "rule:admin_or_cloud_admin or rule:owner",
-    "identity:ec2_create_credential": "rule:admin_or_cloud_admin or rule:owner",
-    "identity:ec2_delete_credential": "rule:admin_or_cloud_admin or (rule:owner and user_id:%(target.credential.user_id)s)",
-
-    "identity:get_role": "rule:admin_or_cloud_admin",
-    "identity:list_roles": "rule:admin_or_cloud_admin",
-    "identity:create_role": "rule:cloud_admin",
-    "identity:update_role": "rule:cloud_admin",
-    "identity:delete_role": "rule:cloud_admin",
-
-    "domain_admin_for_grants": "rule:admin_required and (domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s)",
-    "project_admin_for_grants": "rule:admin_required and project_id:%(project_id)s",
-    "identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
-    "identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
-    "identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
-    "identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
-
-    "admin_on_domain_filter" : "rule:admin_required and domain_id:%(scope.domain.id)s",
-    "admin_on_project_filter" : "rule:admin_required and project_id:%(scope.project.id)s",
-    "identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter",
-
-    "identity:get_policy": "rule:cloud_admin",
-    "identity:list_policies": "rule:cloud_admin",
-    "identity:create_policy": "rule:cloud_admin",
-    "identity:update_policy": "rule:cloud_admin",
-    "identity:delete_policy": "rule:cloud_admin",
-
-    "identity:change_password": "rule:owner",
-    "identity:check_token": "rule:admin_or_owner",
-    "identity:validate_token": "rule:service_admin_or_owner",
-    "identity:validate_token_head": "rule:service_or_admin",
-    "identity:revocation_list": "rule:service_or_admin",
-    "identity:revoke_token": "rule:admin_or_owner",
-
-    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
-    "identity:list_trusts": "",
-    "identity:list_roles_for_trust": "",
-    "identity:get_role_for_trust": "",
-    "identity:delete_trust": "",
-
-    "identity:create_consumer": "rule:admin_required",
-    "identity:get_consumer": "rule:admin_required",
-    "identity:list_consumers": "rule:admin_required",
-    "identity:delete_consumer": "rule:admin_required",
-    "identity:update_consumer": "rule:admin_required",
-
-    "identity:authorize_request_token": "rule:admin_required",
-    "identity:list_access_token_roles": "rule:admin_required",
-    "identity:get_access_token_role": "rule:admin_required",
-    "identity:list_access_tokens": "rule:admin_required",
-    "identity:get_access_token": "rule:admin_required",
-    "identity:delete_access_token": "rule:admin_required",
-
-    "identity:list_projects_for_endpoint": "rule:admin_required",
-    "identity:add_endpoint_to_project": "rule:admin_required",
-    "identity:check_endpoint_in_project": "rule:admin_required",
-    "identity:list_endpoints_for_project": "rule:admin_required",
-    "identity:remove_endpoint_from_project": "rule:admin_required",
-
-    "identity:create_endpoint_group": "rule:admin_required",
-    "identity:list_endpoint_groups": "rule:admin_required",
-    "identity:get_endpoint_group": "rule:admin_required",
-    "identity:update_endpoint_group": "rule:admin_required",
-    "identity:delete_endpoint_group": "rule:admin_required",
-    "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
-    "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
-    "identity:get_endpoint_group_in_project": "rule:admin_required",
-    "identity:list_endpoint_groups_for_project": "rule:admin_required",
-    "identity:add_endpoint_group_to_project": "rule:admin_required",
-    "identity:remove_endpoint_group_from_project": "rule:admin_required",
-
-    "identity:create_identity_provider": "rule:cloud_admin",
-    "identity:list_identity_providers": "rule:cloud_admin",
-    "identity:get_identity_providers": "rule:cloud_admin",
-    "identity:update_identity_provider": "rule:cloud_admin",
-    "identity:delete_identity_provider": "rule:cloud_admin",
-
-    "identity:create_protocol": "rule:cloud_admin",
-    "identity:update_protocol": "rule:cloud_admin",
-    "identity:get_protocol": "rule:cloud_admin",
-    "identity:list_protocols": "rule:cloud_admin",
-    "identity:delete_protocol": "rule:cloud_admin",
-
-    "identity:create_mapping": "rule:cloud_admin",
-    "identity:get_mapping": "rule:cloud_admin",
-    "identity:list_mappings": "rule:cloud_admin",
-    "identity:delete_mapping": "rule:cloud_admin",
-    "identity:update_mapping": "rule:cloud_admin",
-
-    "identity:create_service_provider": "rule:cloud_admin",
-    "identity:list_service_providers": "rule:cloud_admin",
-    "identity:get_service_provider": "rule:cloud_admin",
-    "identity:update_service_provider": "rule:cloud_admin",
-    "identity:delete_service_provider": "rule:cloud_admin",
-
-    "identity:get_auth_catalog": "",
-    "identity:get_auth_projects": "",
-    "identity:get_auth_domains": "",
-
-    "identity:list_projects_for_groups": "",
-    "identity:list_domains_for_groups": "",
-
-    "identity:list_revoke_events": "",
-
-    "identity:create_policy_association_for_endpoint": "rule:cloud_admin",
-    "identity:check_policy_association_for_endpoint": "rule:cloud_admin",
-    "identity:delete_policy_association_for_endpoint": "rule:cloud_admin",
-    "identity:create_policy_association_for_service": "rule:cloud_admin",
-    "identity:check_policy_association_for_service": "rule:cloud_admin",
-    "identity:delete_policy_association_for_service": "rule:cloud_admin",
-    "identity:create_policy_association_for_region_and_service": "rule:cloud_admin",
-    "identity:check_policy_association_for_region_and_service": "rule:cloud_admin",
-    "identity:delete_policy_association_for_region_and_service": "rule:cloud_admin",
-    "identity:get_policy_for_endpoint": "rule:cloud_admin",
-    "identity:list_endpoints_for_policy": "rule:cloud_admin",
-
-    "identity:create_domain_config": "rule:cloud_admin",
-    "identity:get_domain_config": "rule:cloud_admin",
-    "identity:update_domain_config": "rule:cloud_admin",
-    "identity:delete_domain_config": "rule:cloud_admin"
-}
\ No newline at end of file
diff --git a/keystone/files/liberty/keystone.conf.Debian b/keystone/files/liberty/keystone.conf.Debian
index 05d0493..2a91c8c 100644
--- a/keystone/files/liberty/keystone.conf.Debian
+++ b/keystone/files/liberty/keystone.conf.Debian
@@ -309,10 +309,13 @@
 {% if server.auth_methods is defined %}
 methods = {{ server.auth_methods |join(',') }}
 {%- endif %}
-{% if server.websso is defined %}
-{{ server.websso.protocol }} = keystone.auth.plugins.mapped.Mapped
-{%- endif %}
 
+{%- if server.get('federation', {}).oidc is defined %}
+{{ server.federation.oidc.protocol }} = keystone.auth.plugins.mapped.Mapped
+{%- endif %}
+{%- if server.get('federation', {}).saml2 is defined %}
+{{ server.federation.saml2.protocol }} = keystone.auth.plugins.mapped.Mapped
+{%- endif %}
 # Entrypoint for the password auth plugin module in the keystone.auth.password
 # namespace. (string value)
 #password = <None>
@@ -330,11 +333,6 @@
 # namespace. (string value)
 #oauth1 = <None>
 
-{% if server.websso is defined %}
-[{{ server.websso.protocol }}]
-remote_id_attribute = {{ server.websso.remote_id_attribute }}
-{%- endif %}
-
 [cache]
 
 #
@@ -786,6 +784,15 @@
 # Its value may be silently ignored in the future.
 #cert_required = false
 
+{%- if server.get('federation', {}).saml2 is defined %}
+[{{ server.federation.saml2.protocol }}]
+remote_id_attribute = {{ server.federation.saml2.remote_id_attribute }}
+{%- endif %}
+
+{%- if server.get('federation', {}).oidc is defined %}
+[{{ server.federation.oidc.protocol }}]
+remote_id_attribute = {{ server.federation.oidc.remote_id_attribute }}
+{%- endif %}
 
 [federation]
 
@@ -796,8 +803,8 @@
 # Entrypoint for the federation backend driver in the keystone.federation
 # namespace. (string value)
 #driver = sql
-{% if server.websso is defined %}
-driver = {{ server.websso.federation_driver }}
+{%- if server.get('federation', {}).federation_driver is defined %}
+driver = {{ server.federation.federation_driver }}
 {%- endif %}
 
 # Value to be used when filtering assertion parameters from the environment.
@@ -814,6 +821,9 @@
 # this name or update an existing domain to this name. You are not advised to
 # change this value unless you really have to. (string value)
 #federated_domain_name = Federated
+{%- if server.get('federation', {}).federated_domain_name is defined %}
+federated_domain_name = {{ server.federation.federated_domain_name }}
+{%- endif %}
 
 # A list of trusted dashboard hosts. Before accepting a Single Sign-On request
 # to return a token, the origin host must be a member of the trusted_dashboard
@@ -821,13 +831,11 @@
 # example: trusted_dashboard=http://acme.com trusted_dashboard=http://beta.com
 # (multi valued)
 #trusted_dashboard =
-{%- if server.websso is defined %}
-{%- if server.websso.trusted_dashboard is defined %}
-{%- for dashboard in server.websso.trusted_dashboard %}
+{%- if server.get('federation', {}).trusted_dashboard is defined %}
+{%- for dashboard in server.federation.trusted_dashboard %}
 trusted_dashboard = {{ dashboard }}
 {%- endfor %}
 {%- endif %}
-{%- endif %}
 
 # Location of Single Sign-On callback handler, will return a token to a trusted
 # dashboard host. (string value)
@@ -1336,7 +1344,7 @@
 # The maximum body size for each  request, in bytes. (integer value)
 # Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
 # Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
 
 #
 # From oslo.middleware
@@ -1672,6 +1680,7 @@
 # middleware must be configured with the hash_algorithms, otherwise token
 # revocation will not be processed correctly. (string value)
 #hash_algorithm = md5
+hash_algorithm = {{ server.hash_algorithm }}
 
 
 [tokenless_auth]
diff --git a/keystone/files/liberty/policy-v2.json b/keystone/files/liberty/policy-v2.json
deleted file mode 100644
index ebb94b0..0000000
--- a/keystone/files/liberty/policy-v2.json
+++ /dev/null
@@ -1,184 +0,0 @@
-{
-    "admin_required": "role:admin or is_admin:1",
-    "service_role": "role:service",
-    "service_or_admin": "rule:admin_required or rule:service_role",
-    "owner" : "user_id:%(user_id)s",
-    "admin_or_owner": "rule:admin_required or rule:owner",
-    "token_subject": "user_id:%(target.token.user_id)s",
-    "admin_or_token_subject": "rule:admin_required or rule:token_subject",
-    "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
-
-    "default": "rule:admin_required",
-
-    "identity:get_region": "",
-    "identity:list_regions": "",
-    "identity:create_region": "rule:admin_required",
-    "identity:update_region": "rule:admin_required",
-    "identity:delete_region": "rule:admin_required",
-
-    "identity:get_service": "rule:admin_required",
-    "identity:list_services": "rule:admin_required",
-    "identity:create_service": "rule:admin_required",
-    "identity:update_service": "rule:admin_required",
-    "identity:delete_service": "rule:admin_required",
-
-    "identity:get_endpoint": "rule:admin_required",
-    "identity:list_endpoints": "rule:admin_required",
-    "identity:create_endpoint": "rule:admin_required",
-    "identity:update_endpoint": "rule:admin_required",
-    "identity:delete_endpoint": "rule:admin_required",
-
-    "identity:get_domain": "rule:admin_required",
-    "identity:list_domains": "rule:admin_required",
-    "identity:create_domain": "rule:admin_required",
-    "identity:update_domain": "rule:admin_required",
-    "identity:delete_domain": "rule:admin_required",
-
-    "identity:get_project": "rule:admin_required",
-    "identity:list_projects": "rule:admin_required",
-    "identity:list_user_projects": "rule:admin_or_owner",
-    "identity:create_project": "rule:admin_required",
-    "identity:update_project": "rule:admin_required",
-    "identity:delete_project": "rule:admin_required",
-
-    "identity:get_user": "rule:admin_required",
-    "identity:list_users": "rule:admin_required",
-    "identity:create_user": "rule:admin_required",
-    "identity:update_user": "rule:admin_required",
-    "identity:delete_user": "rule:admin_required",
-    "identity:change_password": "rule:admin_or_owner",
-
-    "identity:get_group": "rule:admin_required",
-    "identity:list_groups": "rule:admin_required",
-    "identity:list_groups_for_user": "rule:admin_or_owner",
-    "identity:create_group": "rule:admin_required",
-    "identity:update_group": "rule:admin_required",
-    "identity:delete_group": "rule:admin_required",
-    "identity:list_users_in_group": "rule:admin_required",
-    "identity:remove_user_from_group": "rule:admin_required",
-    "identity:check_user_in_group": "rule:admin_required",
-    "identity:add_user_to_group": "rule:admin_required",
-
-    "identity:get_credential": "rule:admin_required",
-    "identity:list_credentials": "rule:admin_required",
-    "identity:create_credential": "rule:admin_required",
-    "identity:update_credential": "rule:admin_required",
-    "identity:delete_credential": "rule:admin_required",
-
-    "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-    "identity:ec2_list_credentials": "rule:admin_or_owner",
-    "identity:ec2_create_credential": "rule:admin_or_owner",
-    "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-
-    "identity:get_role": "rule:admin_required",
-    "identity:list_roles": "rule:admin_required",
-    "identity:create_role": "rule:admin_required",
-    "identity:update_role": "rule:admin_required",
-    "identity:delete_role": "rule:admin_required",
-
-    "identity:check_grant": "rule:admin_required",
-    "identity:list_grants": "rule:admin_required",
-    "identity:create_grant": "rule:admin_required",
-    "identity:revoke_grant": "rule:admin_required",
-
-    "identity:list_role_assignments": "rule:admin_required",
-
-    "identity:get_policy": "rule:admin_required",
-    "identity:list_policies": "rule:admin_required",
-    "identity:create_policy": "rule:admin_required",
-    "identity:update_policy": "rule:admin_required",
-    "identity:delete_policy": "rule:admin_required",
-
-    "identity:check_token": "rule:admin_or_token_subject",
-    "identity:validate_token": "rule:service_admin_or_token_subject",
-    "identity:validate_token_head": "rule:service_or_admin",
-    "identity:revocation_list": "rule:service_or_admin",
-    "identity:revoke_token": "rule:admin_or_token_subject",
-
-    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
-    "identity:list_trusts": "",
-    "identity:list_roles_for_trust": "",
-    "identity:get_role_for_trust": "",
-    "identity:delete_trust": "",
-
-    "identity:create_consumer": "rule:admin_required",
-    "identity:get_consumer": "rule:admin_required",
-    "identity:list_consumers": "rule:admin_required",
-    "identity:delete_consumer": "rule:admin_required",
-    "identity:update_consumer": "rule:admin_required",
-
-    "identity:authorize_request_token": "rule:admin_required",
-    "identity:list_access_token_roles": "rule:admin_required",
-    "identity:get_access_token_role": "rule:admin_required",
-    "identity:list_access_tokens": "rule:admin_required",
-    "identity:get_access_token": "rule:admin_required",
-    "identity:delete_access_token": "rule:admin_required",
-
-    "identity:list_projects_for_endpoint": "rule:admin_required",
-    "identity:add_endpoint_to_project": "rule:admin_required",
-    "identity:check_endpoint_in_project": "rule:admin_required",
-    "identity:list_endpoints_for_project": "rule:admin_required",
-    "identity:remove_endpoint_from_project": "rule:admin_required",
-
-    "identity:create_endpoint_group": "rule:admin_required",
-    "identity:list_endpoint_groups": "rule:admin_required",
-    "identity:get_endpoint_group": "rule:admin_required",
-    "identity:update_endpoint_group": "rule:admin_required",
-    "identity:delete_endpoint_group": "rule:admin_required",
-    "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
-    "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
-    "identity:get_endpoint_group_in_project": "rule:admin_required",
-    "identity:list_endpoint_groups_for_project": "rule:admin_required",
-    "identity:add_endpoint_group_to_project": "rule:admin_required",
-    "identity:remove_endpoint_group_from_project": "rule:admin_required",
-
-    "identity:create_identity_provider": "rule:admin_required",
-    "identity:list_identity_providers": "rule:admin_required",
-    "identity:get_identity_providers": "rule:admin_required",
-    "identity:update_identity_provider": "rule:admin_required",
-    "identity:delete_identity_provider": "rule:admin_required",
-
-    "identity:create_protocol": "rule:admin_required",
-    "identity:update_protocol": "rule:admin_required",
-    "identity:get_protocol": "rule:admin_required",
-    "identity:list_protocols": "rule:admin_required",
-    "identity:delete_protocol": "rule:admin_required",
-
-    "identity:create_mapping": "rule:admin_required",
-    "identity:get_mapping": "rule:admin_required",
-    "identity:list_mappings": "rule:admin_required",
-    "identity:delete_mapping": "rule:admin_required",
-    "identity:update_mapping": "rule:admin_required",
-
-    "identity:create_service_provider": "rule:admin_required",
-    "identity:list_service_providers": "rule:admin_required",
-    "identity:get_service_provider": "rule:admin_required",
-    "identity:update_service_provider": "rule:admin_required",
-    "identity:delete_service_provider": "rule:admin_required",
-
-    "identity:get_auth_catalog": "",
-    "identity:get_auth_projects": "",
-    "identity:get_auth_domains": "",
-
-    "identity:list_projects_for_groups": "",
-    "identity:list_domains_for_groups": "",
-
-    "identity:list_revoke_events": "",
-
-    "identity:create_policy_association_for_endpoint": "rule:admin_required",
-    "identity:check_policy_association_for_endpoint": "rule:admin_required",
-    "identity:delete_policy_association_for_endpoint": "rule:admin_required",
-    "identity:create_policy_association_for_service": "rule:admin_required",
-    "identity:check_policy_association_for_service": "rule:admin_required",
-    "identity:delete_policy_association_for_service": "rule:admin_required",
-    "identity:create_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:check_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:get_policy_for_endpoint": "rule:admin_required",
-    "identity:list_endpoints_for_policy": "rule:admin_required",
-
-    "identity:create_domain_config": "rule:admin_required",
-    "identity:get_domain_config": "rule:admin_required",
-    "identity:update_domain_config": "rule:admin_required",
-    "identity:delete_domain_config": "rule:admin_required"
-}
diff --git a/keystone/files/liberty/wsgi-keystone.conf b/keystone/files/liberty/wsgi-keystone.conf
index beaf74b..c461e3a 100644
--- a/keystone/files/liberty/wsgi-keystone.conf
+++ b/keystone/files/liberty/wsgi-keystone.conf
@@ -1,27 +1,99 @@
 {%- from "keystone/map.jinja" import server with context %}
 {%- set site = salt['pillar.get']('apache:server:site:'+site_name) %}
-Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000
-Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357
+{% macro setup_oidc() -%}
+    SetEnv HTTP_OIDC_ISS {{ server.federation.oidc.remote_id_attribute_value }}
+    {% if server.federation.oidc.oidc_claim_prefix is defined %}
+    OIDCClaimPrefix "{{ server.federation.oidc.oidc_claim_prefix }}"
+    {%- endif %}
+    OIDCClientID "{{ server.federation.oidc.oidc_client_id}}"
+    {% if server.federation.oidc.oidc_client_secret is defined %}
+    OIDCClientSecret "{{ server.federation.oidc.oidc_client_secret }}"
+    {%- endif %}
+    OIDCCryptoPassphrase "{{ server.federation.oidc.oidc_crypto_passphrase }}"
+    OIDCRedirectURI "{{ server.federation.oidc.oidc_redirect_uri }}"
+    {% if server.federation.oidc.oidc_provider_metadata_url is defined %}
+    OIDCProviderMetadataURL "{{ server.federation.oidc.oidc_provider_metadata_url }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_response_type is defined %}
+    OIDCResponseType "{{ server.federation.oidc.oidc_response_type }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_scope is defined %}
+    OIDCScope "{{ server.federation.oidc.oidc_scope }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_ssl_validate_server is defined %}
+    OIDCSSLValidateServer "{{ server.federation.oidc.oidc_ssl_validate_server }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_oauth_ssl_validate_server is defined %}
+    OIDCOAuthSSLValidateServer "{{ server.federation.oidc.oidc_oauth_ssl_validate_server }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_oauth_introspection_endpoint is defined %}
+    OIDCOAuthIntrospectionEndpoint "{{ server.federation.oidc.oidc_oauth_introspection_endpoint }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_oauth_introspection_token_param_name is defined %}
+    OIDCOAuthIntrospectionTokenParamName "{{ server.federation.oidc.oidc_oauth_introspection_token_param_name }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_oauth_remote_user_claim is defined %}
+    OIDCOAuthRemoteUserClaim "{{ server.federation.oidc.oidc_oauth_remote_user_claim }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_oauth_verify_jwks_uri is defined %}
+    OIDCOAuthVerifyJwksUri "{{ server.federation.oidc.oidc_oauth_verify_jwks_uri }}"
+    {%- endif %}
+    {% if server.federation.oidc.odic_token_iat_slack is defined %}
+    OIDCIDTokenIatSlack "{{ server.federation.oidc.odic_token_iat_slack }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_provider_issuer is defined %}
+    OIDCProviderIssuer "{{ server.federation.oidc.oidc_provider_issuer }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_provider_authorization_endpoint is defined %}
+    OIDCProviderAuthorizationEndpoint "{{ server.federation.oidc.oidc_provider_authorization_endpoint }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_provider_token_endpoint is defined %}
+    OIDCProviderTokenEndpoint "{{ server.federation.oidc.oidc_provider_token_endpoint }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_provider_token_endpoint_auth is defined %}
+    OIDCProviderTokenEndpointAuth "{{ server.federation.oidc.oidc_provider_token_endpoint_auth }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_provider_user_info_endpoint is defined %}
+    OIDCProviderUserInfoEndpoint "{{ server.federation.oidc.oidc_provider_user_info_endpoint }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_provider_jwks_uri is defined %}
+    OIDCProviderJwksUri "{{ server.federation.oidc.oidc_provider_jwks_uri }}"
+    {%- endif %}
+    {%- if server.federation.oidc.oidc_oauth_verify_shared_keys is defined %}
+    {%- set shared_keys_list = [] %}
+    {%- for shared_key_def in server.federation.oidc.oidc_oauth_verify_shared_keys %}
+    {%- do shared_keys_list.append("\""+shared_key_def.type+"#"+shared_key_def.kid+"#"+shared_key_def.key+"\"") %}
+    {%- endfor %}
+    OIDCOAuthVerifySharedKeys {{ shared_keys_list|join(" ") }}
+    {%- endif %}
+    {%- if server.federation.oidc.oidc_oauth_verify_cert_files is defined %}
+    {%- set cert_files_list = [] %}
+    {%- for cert_file_def in server.federation.oidc.oidc_oauth_verify_cert_files %}
+    {%- do cert_files_list.append("\""+cert_file_def.kid+"#"+cert_file_def.filename+"\"") %}
+    {%- endfor %}
+    OIDCOAuthVerifyCertFiles {{ cert_files_list|join(" ") }}
+    {%- endif %}
 
-<VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000>
-{%- include "apache/files/_name.conf" %}
-{%- include "apache/files/_ssl.conf" %}
-{%- include "apache/files/_locations.conf" %}
-
-    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
-    WSGIProcessGroup keystone-public
-    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
-    WSGIApplicationGroup %{GLOBAL}
-    WSGIPassAuthorization On
-    ErrorLogFormat "%{cu}t %M"
-{%- include "apache/files/_log.conf" %}
-
-    <Directory /usr/bin>
-      Require all granted
-    </Directory>
-
-    {% if server.websso is defined %}
-    WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-public/$1
+    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
+      AuthType oauth20
+      Require valid-user
+    </LocationMatch>
+    <LocationMatch "/v3/auth/OS-FEDERATION/websso/oidc">
+      AuthType openid-connect
+      Require valid-user
+    </LocationMatch>
+    <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/oidc/websso">
+      AuthType openid-connect
+      Require valid-user
+    </LocationMatch>
+{% endmacro -%}
+{% macro setup_saml2() -%}
+    {% if server.federation.saml2.shib_url_scheme is defined %}
+    ShibURLScheme {{ server.federation.saml2.shib_url_scheme }}
+    {%- endif %}
+    {% if server.federation.saml2.shib_compat_valid_user is defined %}
+    ShibCompatValidUser {{ server.federation.saml2.shib_compat_valid_user }}
+    {%- endif %}
     <Location /Shibboleth.sso>
       SetHandler shib
     </Location>
@@ -43,6 +115,34 @@
       ShibExportAssertion Off
       Require valid-user
     </LocationMatch>
+{% endmacro -%}
+
+Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000
+Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357
+
+<VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000>
+{%- include "apache/files/_name.conf" %}
+{%- include "apache/files/_ssl.conf" %}
+{%- include "apache/files/_locations.conf" %}
+
+    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+    WSGIProcessGroup keystone-public
+    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+    ErrorLogFormat "%{cu}t %M"
+{%- include "apache/files/_log.conf" %}
+
+    <Directory /usr/bin>
+      Require all granted
+    </Directory>
+
+    {% if server.get('federation', {}).saml2 is defined %}
+    WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-public/$1
+    {{ setup_saml2() }}
+    {%- endif %}
+    {% if server.get('federation', {}).oidc is defined %}
+    {{ setup_oidc() }}
     {%- endif %}
 
 </VirtualHost>
@@ -64,29 +164,13 @@
       Require all granted
     </Directory>
 
-    {% if server.websso is defined %}
+    {% if server.get('federation', {}).saml2 is defined %}
     WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-admin/$1
-    <Location /Shibboleth.sso>
-      SetHandler shib
-    </Location>
-    <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    <LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
+    {{ setup_saml2() }}
+    {%- endif %}
+
+    {% if server.get('federation', {}).oidc is defined %}
+    {{ setup_oidc() }}
     {%- endif %}
 
 </VirtualHost>
diff --git a/keystone/files/mitaka/keystone.conf.Debian b/keystone/files/mitaka/keystone.conf.Debian
index 28991a4..18d6f2b 100644
--- a/keystone/files/mitaka/keystone.conf.Debian
+++ b/keystone/files/mitaka/keystone.conf.Debian
@@ -1,4 +1,4 @@
-{% from "keystone/map.jinja" import server with context %}
+{% from "keystone/map.jinja" import server, system_cacerts_file with context %}
 [DEFAULT]
 
 #
@@ -357,8 +357,12 @@
 {% if server.auth_methods is defined %}
 methods = {{ server.auth_methods |join(',') }}
 {%- endif %}
-{% if server.websso is defined %}
-{{ server.websso.protocol }} = keystone.auth.plugins.mapped.Mapped
+
+{%- if server.get('federation', {}).oidc is defined %}
+{{ server.federation.oidc.protocol }} = keystone.auth.plugins.mapped.Mapped
+{%- endif %}
+{%- if server.get('federation', {}).saml2 is defined %}
+{{ server.federation.saml2.protocol }} = keystone.auth.plugins.mapped.Mapped
 {%- endif %}
 
 # Entrypoint for the password auth plugin module in the keystone.auth.password
@@ -597,7 +601,7 @@
 # Deprecated group/name - [DATABASE]/sql_connection
 # Deprecated group/name - [sql]/connection
 #connection = <None>
-connection={{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}
+connection={{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
 
 # The SQLAlchemy connection string to use to connect to the slave database.
 # (string value)
@@ -848,6 +852,15 @@
 # Its value may be silently ignored in the future.
 #cert_required = false
 
+{%- if server.get('federation', {}).saml2 is defined %}
+[{{ server.federation.saml2.protocol }}]
+remote_id_attribute = {{ server.federation.saml2.remote_id_attribute }}
+{%- endif %}
+
+{%- if server.get('federation', {}).oidc is defined %}
+[{{ server.federation.oidc.protocol }}]
+remote_id_attribute = {{ server.federation.oidc.remote_id_attribute }}
+{%- endif %}
 
 [federation]
 
@@ -858,8 +871,8 @@
 # Entrypoint for the federation backend driver in the keystone.federation
 # namespace. (string value)
 #driver = sql
-{%- if server.get('websso', {}).federation_driver is defined %}
-driver = {{ server.websso.federation_driver }}
+{%- if server.get('federation', {}).federation_driver is defined %}
+driver = {{ server.federation.federation_driver }}
 {%- endif %}
 
 # Value to be used when filtering assertion parameters from the environment.
@@ -870,17 +883,14 @@
 # environment (e.g. if using the mod_shib plugin this value is `Shib-Identity-
 # Provider`). (string value)
 #remote_id_attribute = <None>
-{%- if server.websso is defined %}
-remote_id_attribute = {{ server.websso.remote_id_attribute }}
-{%- endif %}
 
 # A domain name that is reserved to allow federated ephemeral users to have a
 # domain concept. Note that an admin will not be able to create a domain with
 # this name or update an existing domain to this name. You are not advised to
 # change this value unless you really have to. (string value)
 #federated_domain_name = Federated
-{%- if server.get('websso', {}).federated_domain_name is defined %}
-federated_domain_name = {{ server.websso.federated_domain_name }}
+{%- if server.get('federation', {}).federated_domain_name is defined %}
+federated_domain_name = {{ server.federation.federated_domain_name }}
 {%- endif %}
 
 # A list of trusted dashboard hosts. Before accepting a Single Sign-On request
@@ -889,8 +899,8 @@
 # example: trusted_dashboard=http://acme.com/auth/websso
 # trusted_dashboard=http://beta.com/auth/websso (multi valued)
 #trusted_dashboard =
-{%- if server.get('websso', {}).trusted_dashboard is defined %}
-{%- for dashboard in server.websso.trusted_dashboard %}
+{%- if server.get('federation', {}).trusted_dashboard is defined %}
+{%- for dashboard in server.federation.trusted_dashboard %}
 trusted_dashboard = {{ dashboard }}
 {%- endfor %}
 {%- endif %}
@@ -1567,14 +1577,31 @@
 # Allowed values: round-robin, shuffle
 #kombu_failover_strategy = round-robin
 
+{%- set rabbit_port = server.message_queue.get('port', 5671 if server.message_queue.get('ssl',{}).get('enabled', False)  else 5672) %}
 {%- if server.message_queue.members is defined %}
 rabbit_hosts = {% for member in server.message_queue.members -%}
-                   {{ member.host }}:{{ member.get('port', 5672) }}
+                   {{ member.host }}:{{ member.get('port', rabbit_port) }}
                    {%- if not loop.last -%},{%- endif -%}
                {%- endfor -%}
 {%- else %}
 rabbit_host = {{ server.message_queue.host }}
-rabbit_port = {{ server.message_queue.port }}
+rabbit_port = {{ rabbit_port }}
+{%- endif %}
+
+{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbit_use_ssl=true
+
+{%- if server.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ server.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+
+{%- if server.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ server.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
 {%- endif %}
 
 # RabbitMQ HA cluster host:port pairs. (list value)
@@ -1764,7 +1791,7 @@
 # The maximum body size for each  request, in bytes. (integer value)
 # Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
 # Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
 
 # The HTTP Header that will be used to determine what the original request
 # protocol scheme was, even if it was hidden by an SSL termination proxy.
@@ -2158,6 +2185,7 @@
 # Reason: PKI token support has been deprecated in the M release and will be
 # removed in the O release. Fernet or UUID tokens are recommended.
 #hash_algorithm = md5
+hash_algorithm = {{ server.hash_algorithm }}
 
 # Add roles to token that are not explicitly added, but that are linked
 # implicitly to other roles. (boolean value)
diff --git a/keystone/files/mitaka/policy-v2.json b/keystone/files/mitaka/policy-v2.json
deleted file mode 100644
index 797af24..0000000
--- a/keystone/files/mitaka/policy-v2.json
+++ /dev/null
@@ -1,198 +0,0 @@
-{
-    "admin_required": "role:admin or is_admin:1",
-    "service_role": "role:service",
-    "service_or_admin": "rule:admin_required or rule:service_role",
-    "owner" : "user_id:%(user_id)s",
-    "admin_or_owner": "rule:admin_required or rule:owner",
-    "token_subject": "user_id:%(target.token.user_id)s",
-    "admin_or_token_subject": "rule:admin_required or rule:token_subject",
-    "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
-
-    "default": "rule:admin_required",
-
-    "identity:get_region": "",
-    "identity:list_regions": "",
-    "identity:create_region": "rule:admin_required",
-    "identity:update_region": "rule:admin_required",
-    "identity:delete_region": "rule:admin_required",
-
-    "identity:get_service": "rule:admin_required",
-    "identity:list_services": "rule:admin_required",
-    "identity:create_service": "rule:admin_required",
-    "identity:update_service": "rule:admin_required",
-    "identity:delete_service": "rule:admin_required",
-
-    "identity:get_endpoint": "rule:admin_required",
-    "identity:list_endpoints": "rule:admin_required",
-    "identity:create_endpoint": "rule:admin_required",
-    "identity:update_endpoint": "rule:admin_required",
-    "identity:delete_endpoint": "rule:admin_required",
-
-    "identity:get_domain": "rule:admin_required",
-    "identity:list_domains": "rule:admin_required",
-    "identity:create_domain": "rule:admin_required",
-    "identity:update_domain": "rule:admin_required",
-    "identity:delete_domain": "rule:admin_required",
-
-    "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
-    "identity:list_projects": "rule:admin_required",
-    "identity:list_user_projects": "rule:admin_or_owner",
-    "identity:create_project": "rule:admin_required",
-    "identity:update_project": "rule:admin_required",
-    "identity:delete_project": "rule:admin_required",
-
-    "identity:get_user": "rule:admin_required",
-    "identity:list_users": "rule:admin_required",
-    "identity:create_user": "rule:admin_required",
-    "identity:update_user": "rule:admin_required",
-    "identity:delete_user": "rule:admin_required",
-    "identity:change_password": "rule:admin_or_owner",
-
-    "identity:get_group": "rule:admin_required",
-    "identity:list_groups": "rule:admin_required",
-    "identity:list_groups_for_user": "rule:admin_or_owner",
-    "identity:create_group": "rule:admin_required",
-    "identity:update_group": "rule:admin_required",
-    "identity:delete_group": "rule:admin_required",
-    "identity:list_users_in_group": "rule:admin_required",
-    "identity:remove_user_from_group": "rule:admin_required",
-    "identity:check_user_in_group": "rule:admin_required",
-    "identity:add_user_to_group": "rule:admin_required",
-
-    "identity:get_credential": "rule:admin_required",
-    "identity:list_credentials": "rule:admin_required",
-    "identity:create_credential": "rule:admin_required",
-    "identity:update_credential": "rule:admin_required",
-    "identity:delete_credential": "rule:admin_required",
-
-    "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-    "identity:ec2_list_credentials": "rule:admin_or_owner",
-    "identity:ec2_create_credential": "rule:admin_or_owner",
-    "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-
-    "identity:get_role": "rule:admin_required",
-    "identity:list_roles": "rule:admin_required",
-    "identity:create_role": "rule:admin_required",
-    "identity:update_role": "rule:admin_required",
-    "identity:delete_role": "rule:admin_required",
-    "identity:get_domain_role": "rule:admin_required",
-    "identity:list_domain_roles": "rule:admin_required",
-    "identity:create_domain_role": "rule:admin_required",
-    "identity:update_domain_role": "rule:admin_required",
-    "identity:delete_domain_role": "rule:admin_required",
-
-    "identity:get_implied_role": "rule:admin_required ",
-    "identity:list_implied_roles": "rule:admin_required",
-    "identity:create_implied_role": "rule:admin_required",
-    "identity:delete_implied_role": "rule:admin_required",
-    "identity:list_role_inference_rules": "rule:admin_required",
-    "identity:check_implied_role": "rule:admin_required",
-
-    "identity:check_grant": "rule:admin_required",
-    "identity:list_grants": "rule:admin_required",
-    "identity:create_grant": "rule:admin_required",
-    "identity:revoke_grant": "rule:admin_required",
-
-    "identity:list_role_assignments": "rule:admin_required",
-    "identity:list_role_assignments_for_tree": "rule:admin_required",
-
-    "identity:get_policy": "rule:admin_required",
-    "identity:list_policies": "rule:admin_required",
-    "identity:create_policy": "rule:admin_required",
-    "identity:update_policy": "rule:admin_required",
-    "identity:delete_policy": "rule:admin_required",
-
-    "identity:check_token": "rule:admin_or_token_subject",
-    "identity:validate_token": "rule:service_admin_or_token_subject",
-    "identity:validate_token_head": "rule:service_or_admin",
-    "identity:revocation_list": "rule:service_or_admin",
-    "identity:revoke_token": "rule:admin_or_token_subject",
-
-    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
-    "identity:list_trusts": "",
-    "identity:list_roles_for_trust": "",
-    "identity:get_role_for_trust": "",
-    "identity:delete_trust": "",
-
-    "identity:create_consumer": "rule:admin_required",
-    "identity:get_consumer": "rule:admin_required",
-    "identity:list_consumers": "rule:admin_required",
-    "identity:delete_consumer": "rule:admin_required",
-    "identity:update_consumer": "rule:admin_required",
-
-    "identity:authorize_request_token": "rule:admin_required",
-    "identity:list_access_token_roles": "rule:admin_required",
-    "identity:get_access_token_role": "rule:admin_required",
-    "identity:list_access_tokens": "rule:admin_required",
-    "identity:get_access_token": "rule:admin_required",
-    "identity:delete_access_token": "rule:admin_required",
-
-    "identity:list_projects_for_endpoint": "rule:admin_required",
-    "identity:add_endpoint_to_project": "rule:admin_required",
-    "identity:check_endpoint_in_project": "rule:admin_required",
-    "identity:list_endpoints_for_project": "rule:admin_required",
-    "identity:remove_endpoint_from_project": "rule:admin_required",
-
-    "identity:create_endpoint_group": "rule:admin_required",
-    "identity:list_endpoint_groups": "rule:admin_required",
-    "identity:get_endpoint_group": "rule:admin_required",
-    "identity:update_endpoint_group": "rule:admin_required",
-    "identity:delete_endpoint_group": "rule:admin_required",
-    "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
-    "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
-    "identity:get_endpoint_group_in_project": "rule:admin_required",
-    "identity:list_endpoint_groups_for_project": "rule:admin_required",
-    "identity:add_endpoint_group_to_project": "rule:admin_required",
-    "identity:remove_endpoint_group_from_project": "rule:admin_required",
-
-    "identity:create_identity_provider": "rule:admin_required",
-    "identity:list_identity_providers": "rule:admin_required",
-    "identity:get_identity_providers": "rule:admin_required",
-    "identity:update_identity_provider": "rule:admin_required",
-    "identity:delete_identity_provider": "rule:admin_required",
-
-    "identity:create_protocol": "rule:admin_required",
-    "identity:update_protocol": "rule:admin_required",
-    "identity:get_protocol": "rule:admin_required",
-    "identity:list_protocols": "rule:admin_required",
-    "identity:delete_protocol": "rule:admin_required",
-
-    "identity:create_mapping": "rule:admin_required",
-    "identity:get_mapping": "rule:admin_required",
-    "identity:list_mappings": "rule:admin_required",
-    "identity:delete_mapping": "rule:admin_required",
-    "identity:update_mapping": "rule:admin_required",
-
-    "identity:create_service_provider": "rule:admin_required",
-    "identity:list_service_providers": "rule:admin_required",
-    "identity:get_service_provider": "rule:admin_required",
-    "identity:update_service_provider": "rule:admin_required",
-    "identity:delete_service_provider": "rule:admin_required",
-
-    "identity:get_auth_catalog": "",
-    "identity:get_auth_projects": "",
-    "identity:get_auth_domains": "",
-
-    "identity:list_projects_for_groups": "",
-    "identity:list_domains_for_groups": "",
-
-    "identity:list_revoke_events": "",
-
-    "identity:create_policy_association_for_endpoint": "rule:admin_required",
-    "identity:check_policy_association_for_endpoint": "rule:admin_required",
-    "identity:delete_policy_association_for_endpoint": "rule:admin_required",
-    "identity:create_policy_association_for_service": "rule:admin_required",
-    "identity:check_policy_association_for_service": "rule:admin_required",
-    "identity:delete_policy_association_for_service": "rule:admin_required",
-    "identity:create_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:check_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:get_policy_for_endpoint": "rule:admin_required",
-    "identity:list_endpoints_for_policy": "rule:admin_required",
-
-    "identity:create_domain_config": "rule:admin_required",
-    "identity:get_domain_config": "rule:admin_required",
-    "identity:update_domain_config": "rule:admin_required",
-    "identity:delete_domain_config": "rule:admin_required",
-    "identity:get_domain_config_default": "rule:admin_required"
-}
diff --git a/keystone/files/mitaka/wsgi-keystone.conf b/keystone/files/mitaka/wsgi-keystone.conf
index 763672d..3c18ef8 100644
--- a/keystone/files/mitaka/wsgi-keystone.conf
+++ b/keystone/files/mitaka/wsgi-keystone.conf
@@ -1,5 +1,122 @@
 {%- from "keystone/map.jinja" import server with context %}
 {%- set site = salt['pillar.get']('apache:server:site:'+site_name) %}
+{% macro setup_oidc() -%}
+    SetEnv HTTP_OIDC_ISS {{ server.federation.oidc.remote_id_attribute_value }}
+    {% if server.federation.oidc.oidc_claim_prefix is defined %}
+    OIDCClaimPrefix "{{ server.federation.oidc.oidc_claim_prefix }}"
+    {%- endif %}
+    OIDCClientID "{{ server.federation.oidc.oidc_client_id}}"
+    {% if server.federation.oidc.oidc_client_secret is defined %}
+    OIDCClientSecret "{{ server.federation.oidc.oidc_client_secret }}"
+    {%- endif %}
+    OIDCCryptoPassphrase "{{ server.federation.oidc.oidc_crypto_passphrase }}"
+    OIDCRedirectURI "{{ server.federation.oidc.oidc_redirect_uri }}"
+    {% if server.federation.oidc.oidc_provider_metadata_url is defined %}
+    OIDCProviderMetadataURL "{{ server.federation.oidc.oidc_provider_metadata_url }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_response_type is defined %}
+    OIDCResponseType "{{ server.federation.oidc.oidc_response_type }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_scope is defined %}
+    OIDCScope "{{ server.federation.oidc.oidc_scope }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_ssl_validate_server is defined %}
+    OIDCSSLValidateServer "{{ server.federation.oidc.oidc_ssl_validate_server }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_oauth_ssl_validate_server is defined %}
+    OIDCOAuthSSLValidateServer "{{ server.federation.oidc.oidc_oauth_ssl_validate_server }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_oauth_introspection_endpoint is defined %}
+    OIDCOAuthIntrospectionEndpoint "{{ server.federation.oidc.oidc_oauth_introspection_endpoint }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_oauth_introspection_token_param_name is defined %}
+    OIDCOAuthIntrospectionTokenParamName "{{ server.federation.oidc.oidc_oauth_introspection_token_param_name }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_oauth_remote_user_claim is defined %}
+    OIDCOAuthRemoteUserClaim "{{ server.federation.oidc.oidc_oauth_remote_user_claim }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_oauth_verify_jwks_uri is defined %}
+    OIDCOAuthVerifyJwksUri "{{ server.federation.oidc.oidc_oauth_verify_jwks_uri }}"
+    {%- endif %}
+    {% if server.federation.oidc.odic_token_iat_slack is defined %}
+    OIDCIDTokenIatSlack "{{ server.federation.oidc.odic_token_iat_slack }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_provider_issuer is defined %}
+    OIDCProviderIssuer "{{ server.federation.oidc.oidc_provider_issuer }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_provider_authorization_endpoint is defined %}
+    OIDCProviderAuthorizationEndpoint "{{ server.federation.oidc.oidc_provider_authorization_endpoint }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_provider_token_endpoint is defined %}
+    OIDCProviderTokenEndpoint "{{ server.federation.oidc.oidc_provider_token_endpoint }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_provider_token_endpoint_auth is defined %}
+    OIDCProviderTokenEndpointAuth "{{ server.federation.oidc.oidc_provider_token_endpoint_auth }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_provider_user_info_endpoint is defined %}
+    OIDCProviderUserInfoEndpoint "{{ server.federation.oidc.oidc_provider_user_info_endpoint }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_provider_jwks_uri is defined %}
+    OIDCProviderJwksUri "{{ server.federation.oidc.oidc_provider_jwks_uri }}"
+    {%- endif %}
+    {%- if server.federation.oidc.oidc_oauth_verify_shared_keys is defined %}
+    {%- set shared_keys_list = [] %}
+    {%- for shared_key_def in server.federation.oidc.oidc_oauth_verify_shared_keys %}
+    {%- do shared_keys_list.append("\""+shared_key_def.type+"#"+shared_key_def.kid+"#"+shared_key_def.key+"\"") %}
+    {%- endfor %}
+    OIDCOAuthVerifySharedKeys {{ shared_keys_list|join(" ") }}
+    {%- endif %}
+    {%- if server.federation.oidc.oidc_oauth_verify_cert_files is defined %}
+    {%- set cert_files_list = [] %}
+    {%- for cert_file_def in server.federation.oidc.oidc_oauth_verify_cert_files %}
+    {%- do cert_files_list.append("\""+cert_file_def.kid+"#"+cert_file_def.filename+"\"") %}
+    {%- endfor %}
+    OIDCOAuthVerifyCertFiles {{ cert_files_list|join(" ") }}
+    {%- endif %}
+
+    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
+      AuthType oauth20
+      Require valid-user
+    </LocationMatch>
+    <LocationMatch "/v3/auth/OS-FEDERATION/websso/oidc">
+      AuthType openid-connect
+      Require valid-user
+    </LocationMatch>
+    <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/oidc/websso">
+      AuthType openid-connect
+      Require valid-user
+    </LocationMatch>
+{% endmacro -%}
+{% macro setup_saml2() -%}
+    {% if server.federation.saml2.shib_url_scheme is defined %}
+    ShibURLScheme {{ server.federation.saml2.shib_url_scheme }}
+    {%- endif %}
+    {% if server.federation.saml2.shib_compat_valid_user is defined %}
+    ShibCompatValidUser {{ server.federation.saml2.shib_compat_valid_user }}
+    {%- endif %}
+    <Location /Shibboleth.sso>
+      SetHandler shib
+    </Location>
+    <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
+      ShibRequestSetting requireSession 1
+      AuthType shibboleth
+      ShibExportAssertion Off
+      Require valid-user
+    </LocationMatch>
+    <LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
+      ShibRequestSetting requireSession 1
+      AuthType shibboleth
+      ShibExportAssertion Off
+      Require valid-user
+    </LocationMatch>
+    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
+      ShibRequestSetting requireSession 1
+      AuthType shibboleth
+      ShibExportAssertion Off
+      Require valid-user
+    </LocationMatch>
+{% endmacro -%}
+
 Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000
 Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357
 
@@ -8,7 +125,7 @@
 {%- include "apache/files/_ssl.conf" %}
 {%- include "apache/files/_locations.conf" %}
 
-    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+    WSGIDaemonProcess keystone-public processes={{ grains.num_cpus }} threads=1 user=keystone group=keystone display-name=%{GROUP}
     WSGIProcessGroup keystone-public
     WSGIScriptAlias / /usr/bin/keystone-wsgi-public
     WSGIApplicationGroup %{GLOBAL}
@@ -29,34 +146,23 @@
         </IfVersion>
     </Directory>
 
-    {% if server.websso is defined %}
-    {% if server.websso.shib_url_scheme is defined %}
-    ShibURLScheme {{ server.websso.shib_url_scheme }}
-    {%- endif %}
+    {% if server.get('federation', {}).saml2 is defined %}
     WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-public/$1
-    <Location /Shibboleth.sso>
-      SetHandler shib
-    </Location>
-    <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    <LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
+    {{ setup_saml2() }}
+    {%- endif %}
+    {% if server.get('federation', {}).oidc is defined %}
+    {{ setup_oidc() }}
     {%- endif %}
 
+    Alias /identity_admin /usr/bin/keystone-wsgi-admin
+    <Location /identity_admin>
+        SetHandler wsgi-script
+        Options +ExecCGI
+
+        WSGIProcessGroup keystone-admin
+        WSGIApplicationGroup %{GLOBAL}
+        WSGIPassAuthorization On
+    </Location>
 </VirtualHost>
 
 <VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357>
@@ -64,7 +170,7 @@
 {%- include "apache/files/_ssl.conf" %}
 {%- include "apache/files/_locations.conf" %}
 
-    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+    WSGIDaemonProcess keystone-admin processes={{ grains.num_cpus }} threads=1 user=keystone group=keystone display-name=%{GROUP}
     WSGIProcessGroup keystone-admin
     WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
     WSGIApplicationGroup %{GLOBAL}
@@ -85,52 +191,22 @@
         </IfVersion>
     </Directory>
 
-    {% if server.websso is defined %}
-    {% if server.websso.shib_url_scheme is defined %}
-    ShibURLScheme {{ server.websso.shib_url_scheme }}
-    {%- endif %}
+    {% if server.get('federation', {}).saml2 is defined %}
     WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-admin/$1
-    <Location /Shibboleth.sso>
-      SetHandler shib
-    </Location>
-    <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    <LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
+    {{ setup_saml2() }}
     {%- endif %}
 
+    {% if server.get('federation', {}).oidc is defined %}
+    {{ setup_oidc() }}
+    {%- endif %}
+
+    Alias /identity /usr/bin/keystone-wsgi-public
+    <Location /identity>
+        SetHandler wsgi-script
+        Options +ExecCGI
+
+        WSGIProcessGroup keystone-public
+        WSGIApplicationGroup %{GLOBAL}
+        WSGIPassAuthorization On
+    </Location>
 </VirtualHost>
-
-Alias /identity /usr/bin/keystone-wsgi-public
-<Location /identity>
-    SetHandler wsgi-script
-    Options +ExecCGI
-
-    WSGIProcessGroup keystone-public
-    WSGIApplicationGroup %{GLOBAL}
-    WSGIPassAuthorization On
-</Location>
-
-Alias /identity_admin /usr/bin/keystone-wsgi-admin
-<Location /identity_admin>
-    SetHandler wsgi-script
-    Options +ExecCGI
-
-    WSGIProcessGroup keystone-admin
-    WSGIApplicationGroup %{GLOBAL}
-    WSGIPassAuthorization On
-</Location>
diff --git a/keystone/files/newton/keystone.conf.Debian b/keystone/files/newton/keystone.conf.Debian
index 6add60c..83f4b13 100644
--- a/keystone/files/newton/keystone.conf.Debian
+++ b/keystone/files/newton/keystone.conf.Debian
@@ -1,4 +1,4 @@
-{% from "keystone/map.jinja" import server with context %}
+{% from "keystone/map.jinja" import server, system_cacerts_file with context %}
 [DEFAULT]
 
 #
@@ -358,14 +358,16 @@
 # A URL representing the messaging driver to use and its full configuration.
 # (string value)
 #transport_url = rabbit://nova:3qVSI7a1m8AdaDQ7BpB0PJu4@192.168.0.4:5673/
+
+{%- set rabbit_port = server.message_queue.get('port', 5671 if server.message_queue.get('ssl',{}).get('enabled', False)  else 5672) %}
 {%- if server.message_queue.members is defined %}
 transport_url = rabbit://{% for member in server.message_queue.members -%}
-                             {{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ member.host }}:{{ member.get('port', 5672) }}
+                             {{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ member.host }}:{{ member.get('port', rabbit_port) }}
                              {%- if not loop.last -%},{%- endif -%}
                          {%- endfor -%}
                              /{{ server.message_queue.virtual_host }}
 {%- else %}
-transport_url = rabbit://{{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ server.message_queue.host }}:{{ server.message_queue.port }}/{{ server.message_queue.virtual_host }}
+transport_url = rabbit://{{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ server.message_queue.host }}:{{ rabbit_port }}/{{ server.message_queue.virtual_host }}
 {%- endif %}
 
 # DEPRECATED: The messaging driver to use, defaults to rabbit. Other drivers
@@ -374,7 +376,6 @@
 # Its value may be silently ignored in the future.
 # Reason: Replaced by [DEFAULT]/transport_url
 #rpc_backend = rabbit
-rpc_backend = rabbit
 {%- endif %}
 
 # The default exchange under which topics are scoped. May be overridden by an
@@ -417,10 +418,13 @@
 {% if server.auth_methods is defined %}
 methods = {{ server.auth_methods |join(',') }}
 {%- endif %}
-{% if server.websso is defined %}
-{{ server.websso.protocol }} = keystone.auth.plugins.mapped.Mapped
-{%- endif %}
 
+{%- if server.get('federation', {}).oidc is defined %}
+{{ server.federation.oidc.protocol }} = keystone.auth.plugins.mapped.Mapped
+{%- endif %}
+{%- if server.get('federation', {}).saml2 is defined %}
+{{ server.federation.saml2.protocol }} = keystone.auth.plugins.mapped.Mapped
+{%- endif %}
 # Entry point for the password auth plugin module in the
 # `keystone.auth.password` namespace. You do not need to set this unless you
 # are overriding keystone's own password authentication plugin. (string value)
@@ -669,7 +673,7 @@
 # of keys should be managed separately and require different rotation policies.
 # Do not share this repository with the repository used to manage keys for
 # Fernet tokens. (string value)
-#key_repository = /etc/keystone/credential-keys/
+key_repository = {{ server.credential.location }}
 
 
 [database]
@@ -700,7 +704,7 @@
 # Deprecated group/name - [DATABASE]/sql_connection
 # Deprecated group/name - [sql]/connection
 #connection = <None>
-connection={{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}
+connection={{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
 
 # The SQLAlchemy connection string to use to connect to the slave database.
 # (string value)
@@ -902,6 +906,15 @@
 #admin_port = 35357
 admin_port = 35357
 
+{%- if server.get('federation', {}).saml2 is defined %}
+[{{ server.federation.saml2.protocol }}]
+remote_id_attribute = {{ server.federation.saml2.remote_id_attribute }}
+{%- endif %}
+
+{%- if server.get('federation', {}).oidc is defined %}
+[{{ server.federation.oidc.protocol }}]
+remote_id_attribute = {{ server.federation.oidc.remote_id_attribute }}
+{%- endif %}
 
 [federation]
 
@@ -913,8 +926,8 @@
 # namespace. Keystone only provides a `sql` driver, so there is no reason to
 # set this option unless you are providing a custom entry point. (string value)
 #driver = sql
-{%- if server.get('websso', {}).federation_driver is defined %}
-driver = {{ server.websso.federation_driver }}
+{%- if server.get('federation', {}).federation_driver is defined %}
+driver = {{ server.federation.federation_driver }}
 {%- endif %}
 
 # Prefix to use when filtering environment variable names for federated
@@ -927,17 +940,14 @@
 # `mod_auth_openidc`, this could be `HTTP_OIDC_ISS`. For `mod_auth_mellon`,
 # this could be `MELLON_IDP`. (string value)
 #remote_id_attribute = <None>
-{%- if server.websso is defined %}
-remote_id_attribute = {{ server.websso.remote_id_attribute }}
-{%- endif %}
 
 # An arbitrary domain name that is reserved to allow federated ephemeral users
 # to have a domain concept. Note that an admin will not be able to create a
 # domain with this name or update an existing domain to this name. You are not
 # advised to change this value unless you really have to. (string value)
 #federated_domain_name = Federated
-{%- if server.get('websso', {}).federated_domain_name is defined %}
-federated_domain_name = {{ server.websso.federated_domain_name }}
+{%- if server.get('federation', {}).federated_domain_name is defined %}
+federated_domain_name = {{ server.federation.federated_domain_name }}
 {%- endif %}
 
 # A list of trusted dashboard hosts. Before accepting a Single Sign-On request
@@ -947,8 +957,8 @@
 # trusted_dashboard=https://acme.example.com/auth/websso
 # trusted_dashboard=https://beta.example.com/auth/websso (multi valued)
 #trusted_dashboard =
-{%- if server.get('websso', {}).trusted_dashboard is defined %}
-{%- for dashboard in server.websso.trusted_dashboard %}
+{%- if server.get('federation', {}).trusted_dashboard is defined %}
+{%- for dashboard in server.federation.trusted_dashboard %}
 trusted_dashboard = {{ dashboard }}
 {%- endfor %}
 {%- endif %}
@@ -1856,6 +1866,26 @@
 # From oslo.messaging
 #
 
+{%- if server.notification %}
+
+{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbit_use_ssl=true
+
+{%- if server.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ server.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+
+{%- if server.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ server.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
+{%- endif %}
+
+{%- endif %}
+
 # Use durable queues in AMQP. (boolean value)
 # Deprecated group/name - [DEFAULT]/amqp_durable_queues
 # Deprecated group/name - [DEFAULT]/rabbit_durable_queues
@@ -2216,7 +2246,7 @@
 # The maximum body size for each  request, in bytes. (integer value)
 # Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
 # Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
 
 # DEPRECATED: The HTTP Header that will be used to determine what the original
 # request protocol scheme was, even if it was hidden by a SSL termination
@@ -2835,6 +2865,7 @@
 # Reason: PKI token support has been deprecated in the M release and will be
 # removed in the O release. Fernet or UUID tokens are recommended.
 #hash_algorithm = md5
+hash_algorithm = {{ server.hash_algorithm }}
 
 # This controls whether roles should be included with tokens that are not
 # directly assigned to the token's scope, but are instead linked implicitly to
diff --git a/keystone/files/newton/policy-v2.json b/keystone/files/newton/policy-v2.json
deleted file mode 100644
index 1e37bef..0000000
--- a/keystone/files/newton/policy-v2.json
+++ /dev/null
@@ -1,198 +0,0 @@
-{
-    "admin_required": "role:admin or is_admin:1",
-    "service_role": "role:service",
-    "service_or_admin": "rule:admin_required or rule:service_role",
-    "owner" : "user_id:%(user_id)s",
-    "admin_or_owner": "rule:admin_required or rule:owner",
-    "token_subject": "user_id:%(target.token.user_id)s",
-    "admin_or_token_subject": "rule:admin_required or rule:token_subject",
-    "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
-
-    "default": "rule:admin_required",
-
-    "identity:get_region": "",
-    "identity:list_regions": "",
-    "identity:create_region": "rule:admin_required",
-    "identity:update_region": "rule:admin_required",
-    "identity:delete_region": "rule:admin_required",
-
-    "identity:get_service": "rule:admin_required",
-    "identity:list_services": "rule:admin_required",
-    "identity:create_service": "rule:admin_required",
-    "identity:update_service": "rule:admin_required",
-    "identity:delete_service": "rule:admin_required",
-
-    "identity:get_endpoint": "rule:admin_required",
-    "identity:list_endpoints": "rule:admin_required",
-    "identity:create_endpoint": "rule:admin_required",
-    "identity:update_endpoint": "rule:admin_required",
-    "identity:delete_endpoint": "rule:admin_required",
-
-    "identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s",
-    "identity:list_domains": "rule:admin_required",
-    "identity:create_domain": "rule:admin_required",
-    "identity:update_domain": "rule:admin_required",
-    "identity:delete_domain": "rule:admin_required",
-
-    "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
-    "identity:list_projects": "rule:admin_required",
-    "identity:list_user_projects": "rule:admin_or_owner",
-    "identity:create_project": "rule:admin_required",
-    "identity:update_project": "rule:admin_required",
-    "identity:delete_project": "rule:admin_required",
-
-    "identity:get_user": "rule:admin_or_owner",
-    "identity:list_users": "rule:admin_required",
-    "identity:create_user": "rule:admin_required",
-    "identity:update_user": "rule:admin_required",
-    "identity:delete_user": "rule:admin_required",
-    "identity:change_password": "rule:admin_or_owner",
-
-    "identity:get_group": "rule:admin_required",
-    "identity:list_groups": "rule:admin_required",
-    "identity:list_groups_for_user": "rule:admin_or_owner",
-    "identity:create_group": "rule:admin_required",
-    "identity:update_group": "rule:admin_required",
-    "identity:delete_group": "rule:admin_required",
-    "identity:list_users_in_group": "rule:admin_required",
-    "identity:remove_user_from_group": "rule:admin_required",
-    "identity:check_user_in_group": "rule:admin_required",
-    "identity:add_user_to_group": "rule:admin_required",
-
-    "identity:get_credential": "rule:admin_required",
-    "identity:list_credentials": "rule:admin_required",
-    "identity:create_credential": "rule:admin_required",
-    "identity:update_credential": "rule:admin_required",
-    "identity:delete_credential": "rule:admin_required",
-
-    "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-    "identity:ec2_list_credentials": "rule:admin_or_owner",
-    "identity:ec2_create_credential": "rule:admin_or_owner",
-    "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-
-    "identity:get_role": "rule:admin_required",
-    "identity:list_roles": "rule:admin_required",
-    "identity:create_role": "rule:admin_required",
-    "identity:update_role": "rule:admin_required",
-    "identity:delete_role": "rule:admin_required",
-    "identity:get_domain_role": "rule:admin_required",
-    "identity:list_domain_roles": "rule:admin_required",
-    "identity:create_domain_role": "rule:admin_required",
-    "identity:update_domain_role": "rule:admin_required",
-    "identity:delete_domain_role": "rule:admin_required",
-
-    "identity:get_implied_role": "rule:admin_required ",
-    "identity:list_implied_roles": "rule:admin_required",
-    "identity:create_implied_role": "rule:admin_required",
-    "identity:delete_implied_role": "rule:admin_required",
-    "identity:list_role_inference_rules": "rule:admin_required",
-    "identity:check_implied_role": "rule:admin_required",
-
-    "identity:check_grant": "rule:admin_required",
-    "identity:list_grants": "rule:admin_required",
-    "identity:create_grant": "rule:admin_required",
-    "identity:revoke_grant": "rule:admin_required",
-
-    "identity:list_role_assignments": "rule:admin_required",
-    "identity:list_role_assignments_for_tree": "rule:admin_required",
-
-    "identity:get_policy": "rule:admin_required",
-    "identity:list_policies": "rule:admin_required",
-    "identity:create_policy": "rule:admin_required",
-    "identity:update_policy": "rule:admin_required",
-    "identity:delete_policy": "rule:admin_required",
-
-    "identity:check_token": "rule:admin_or_token_subject",
-    "identity:validate_token": "rule:service_admin_or_token_subject",
-    "identity:validate_token_head": "rule:service_or_admin",
-    "identity:revocation_list": "rule:service_or_admin",
-    "identity:revoke_token": "rule:admin_or_token_subject",
-
-    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
-    "identity:list_trusts": "",
-    "identity:list_roles_for_trust": "",
-    "identity:get_role_for_trust": "",
-    "identity:delete_trust": "",
-
-    "identity:create_consumer": "rule:admin_required",
-    "identity:get_consumer": "rule:admin_required",
-    "identity:list_consumers": "rule:admin_required",
-    "identity:delete_consumer": "rule:admin_required",
-    "identity:update_consumer": "rule:admin_required",
-
-    "identity:authorize_request_token": "rule:admin_required",
-    "identity:list_access_token_roles": "rule:admin_required",
-    "identity:get_access_token_role": "rule:admin_required",
-    "identity:list_access_tokens": "rule:admin_required",
-    "identity:get_access_token": "rule:admin_required",
-    "identity:delete_access_token": "rule:admin_required",
-
-    "identity:list_projects_for_endpoint": "rule:admin_required",
-    "identity:add_endpoint_to_project": "rule:admin_required",
-    "identity:check_endpoint_in_project": "rule:admin_required",
-    "identity:list_endpoints_for_project": "rule:admin_required",
-    "identity:remove_endpoint_from_project": "rule:admin_required",
-
-    "identity:create_endpoint_group": "rule:admin_required",
-    "identity:list_endpoint_groups": "rule:admin_required",
-    "identity:get_endpoint_group": "rule:admin_required",
-    "identity:update_endpoint_group": "rule:admin_required",
-    "identity:delete_endpoint_group": "rule:admin_required",
-    "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
-    "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
-    "identity:get_endpoint_group_in_project": "rule:admin_required",
-    "identity:list_endpoint_groups_for_project": "rule:admin_required",
-    "identity:add_endpoint_group_to_project": "rule:admin_required",
-    "identity:remove_endpoint_group_from_project": "rule:admin_required",
-
-    "identity:create_identity_provider": "rule:admin_required",
-    "identity:list_identity_providers": "rule:admin_required",
-    "identity:get_identity_providers": "rule:admin_required",
-    "identity:update_identity_provider": "rule:admin_required",
-    "identity:delete_identity_provider": "rule:admin_required",
-
-    "identity:create_protocol": "rule:admin_required",
-    "identity:update_protocol": "rule:admin_required",
-    "identity:get_protocol": "rule:admin_required",
-    "identity:list_protocols": "rule:admin_required",
-    "identity:delete_protocol": "rule:admin_required",
-
-    "identity:create_mapping": "rule:admin_required",
-    "identity:get_mapping": "rule:admin_required",
-    "identity:list_mappings": "rule:admin_required",
-    "identity:delete_mapping": "rule:admin_required",
-    "identity:update_mapping": "rule:admin_required",
-
-    "identity:create_service_provider": "rule:admin_required",
-    "identity:list_service_providers": "rule:admin_required",
-    "identity:get_service_provider": "rule:admin_required",
-    "identity:update_service_provider": "rule:admin_required",
-    "identity:delete_service_provider": "rule:admin_required",
-
-    "identity:get_auth_catalog": "",
-    "identity:get_auth_projects": "",
-    "identity:get_auth_domains": "",
-
-    "identity:list_projects_for_user": "",
-    "identity:list_domains_for_user": "",
-
-    "identity:list_revoke_events": "",
-
-    "identity:create_policy_association_for_endpoint": "rule:admin_required",
-    "identity:check_policy_association_for_endpoint": "rule:admin_required",
-    "identity:delete_policy_association_for_endpoint": "rule:admin_required",
-    "identity:create_policy_association_for_service": "rule:admin_required",
-    "identity:check_policy_association_for_service": "rule:admin_required",
-    "identity:delete_policy_association_for_service": "rule:admin_required",
-    "identity:create_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:check_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:get_policy_for_endpoint": "rule:admin_required",
-    "identity:list_endpoints_for_policy": "rule:admin_required",
-
-    "identity:create_domain_config": "rule:admin_required",
-    "identity:get_domain_config": "rule:admin_required",
-    "identity:update_domain_config": "rule:admin_required",
-    "identity:delete_domain_config": "rule:admin_required",
-    "identity:get_domain_config_default": "rule:admin_required"
-}
diff --git a/keystone/files/newton/wsgi-keystone.conf b/keystone/files/newton/wsgi-keystone.conf
index 763672d..3c18ef8 100644
--- a/keystone/files/newton/wsgi-keystone.conf
+++ b/keystone/files/newton/wsgi-keystone.conf
@@ -1,5 +1,122 @@
 {%- from "keystone/map.jinja" import server with context %}
 {%- set site = salt['pillar.get']('apache:server:site:'+site_name) %}
+{% macro setup_oidc() -%}
+    SetEnv HTTP_OIDC_ISS {{ server.federation.oidc.remote_id_attribute_value }}
+    {% if server.federation.oidc.oidc_claim_prefix is defined %}
+    OIDCClaimPrefix "{{ server.federation.oidc.oidc_claim_prefix }}"
+    {%- endif %}
+    OIDCClientID "{{ server.federation.oidc.oidc_client_id}}"
+    {% if server.federation.oidc.oidc_client_secret is defined %}
+    OIDCClientSecret "{{ server.federation.oidc.oidc_client_secret }}"
+    {%- endif %}
+    OIDCCryptoPassphrase "{{ server.federation.oidc.oidc_crypto_passphrase }}"
+    OIDCRedirectURI "{{ server.federation.oidc.oidc_redirect_uri }}"
+    {% if server.federation.oidc.oidc_provider_metadata_url is defined %}
+    OIDCProviderMetadataURL "{{ server.federation.oidc.oidc_provider_metadata_url }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_response_type is defined %}
+    OIDCResponseType "{{ server.federation.oidc.oidc_response_type }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_scope is defined %}
+    OIDCScope "{{ server.federation.oidc.oidc_scope }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_ssl_validate_server is defined %}
+    OIDCSSLValidateServer "{{ server.federation.oidc.oidc_ssl_validate_server }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_oauth_ssl_validate_server is defined %}
+    OIDCOAuthSSLValidateServer "{{ server.federation.oidc.oidc_oauth_ssl_validate_server }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_oauth_introspection_endpoint is defined %}
+    OIDCOAuthIntrospectionEndpoint "{{ server.federation.oidc.oidc_oauth_introspection_endpoint }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_oauth_introspection_token_param_name is defined %}
+    OIDCOAuthIntrospectionTokenParamName "{{ server.federation.oidc.oidc_oauth_introspection_token_param_name }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_oauth_remote_user_claim is defined %}
+    OIDCOAuthRemoteUserClaim "{{ server.federation.oidc.oidc_oauth_remote_user_claim }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_oauth_verify_jwks_uri is defined %}
+    OIDCOAuthVerifyJwksUri "{{ server.federation.oidc.oidc_oauth_verify_jwks_uri }}"
+    {%- endif %}
+    {% if server.federation.oidc.odic_token_iat_slack is defined %}
+    OIDCIDTokenIatSlack "{{ server.federation.oidc.odic_token_iat_slack }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_provider_issuer is defined %}
+    OIDCProviderIssuer "{{ server.federation.oidc.oidc_provider_issuer }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_provider_authorization_endpoint is defined %}
+    OIDCProviderAuthorizationEndpoint "{{ server.federation.oidc.oidc_provider_authorization_endpoint }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_provider_token_endpoint is defined %}
+    OIDCProviderTokenEndpoint "{{ server.federation.oidc.oidc_provider_token_endpoint }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_provider_token_endpoint_auth is defined %}
+    OIDCProviderTokenEndpointAuth "{{ server.federation.oidc.oidc_provider_token_endpoint_auth }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_provider_user_info_endpoint is defined %}
+    OIDCProviderUserInfoEndpoint "{{ server.federation.oidc.oidc_provider_user_info_endpoint }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_provider_jwks_uri is defined %}
+    OIDCProviderJwksUri "{{ server.federation.oidc.oidc_provider_jwks_uri }}"
+    {%- endif %}
+    {%- if server.federation.oidc.oidc_oauth_verify_shared_keys is defined %}
+    {%- set shared_keys_list = [] %}
+    {%- for shared_key_def in server.federation.oidc.oidc_oauth_verify_shared_keys %}
+    {%- do shared_keys_list.append("\""+shared_key_def.type+"#"+shared_key_def.kid+"#"+shared_key_def.key+"\"") %}
+    {%- endfor %}
+    OIDCOAuthVerifySharedKeys {{ shared_keys_list|join(" ") }}
+    {%- endif %}
+    {%- if server.federation.oidc.oidc_oauth_verify_cert_files is defined %}
+    {%- set cert_files_list = [] %}
+    {%- for cert_file_def in server.federation.oidc.oidc_oauth_verify_cert_files %}
+    {%- do cert_files_list.append("\""+cert_file_def.kid+"#"+cert_file_def.filename+"\"") %}
+    {%- endfor %}
+    OIDCOAuthVerifyCertFiles {{ cert_files_list|join(" ") }}
+    {%- endif %}
+
+    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
+      AuthType oauth20
+      Require valid-user
+    </LocationMatch>
+    <LocationMatch "/v3/auth/OS-FEDERATION/websso/oidc">
+      AuthType openid-connect
+      Require valid-user
+    </LocationMatch>
+    <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/oidc/websso">
+      AuthType openid-connect
+      Require valid-user
+    </LocationMatch>
+{% endmacro -%}
+{% macro setup_saml2() -%}
+    {% if server.federation.saml2.shib_url_scheme is defined %}
+    ShibURLScheme {{ server.federation.saml2.shib_url_scheme }}
+    {%- endif %}
+    {% if server.federation.saml2.shib_compat_valid_user is defined %}
+    ShibCompatValidUser {{ server.federation.saml2.shib_compat_valid_user }}
+    {%- endif %}
+    <Location /Shibboleth.sso>
+      SetHandler shib
+    </Location>
+    <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
+      ShibRequestSetting requireSession 1
+      AuthType shibboleth
+      ShibExportAssertion Off
+      Require valid-user
+    </LocationMatch>
+    <LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
+      ShibRequestSetting requireSession 1
+      AuthType shibboleth
+      ShibExportAssertion Off
+      Require valid-user
+    </LocationMatch>
+    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
+      ShibRequestSetting requireSession 1
+      AuthType shibboleth
+      ShibExportAssertion Off
+      Require valid-user
+    </LocationMatch>
+{% endmacro -%}
+
 Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000
 Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357
 
@@ -8,7 +125,7 @@
 {%- include "apache/files/_ssl.conf" %}
 {%- include "apache/files/_locations.conf" %}
 
-    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+    WSGIDaemonProcess keystone-public processes={{ grains.num_cpus }} threads=1 user=keystone group=keystone display-name=%{GROUP}
     WSGIProcessGroup keystone-public
     WSGIScriptAlias / /usr/bin/keystone-wsgi-public
     WSGIApplicationGroup %{GLOBAL}
@@ -29,34 +146,23 @@
         </IfVersion>
     </Directory>
 
-    {% if server.websso is defined %}
-    {% if server.websso.shib_url_scheme is defined %}
-    ShibURLScheme {{ server.websso.shib_url_scheme }}
-    {%- endif %}
+    {% if server.get('federation', {}).saml2 is defined %}
     WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-public/$1
-    <Location /Shibboleth.sso>
-      SetHandler shib
-    </Location>
-    <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    <LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
+    {{ setup_saml2() }}
+    {%- endif %}
+    {% if server.get('federation', {}).oidc is defined %}
+    {{ setup_oidc() }}
     {%- endif %}
 
+    Alias /identity_admin /usr/bin/keystone-wsgi-admin
+    <Location /identity_admin>
+        SetHandler wsgi-script
+        Options +ExecCGI
+
+        WSGIProcessGroup keystone-admin
+        WSGIApplicationGroup %{GLOBAL}
+        WSGIPassAuthorization On
+    </Location>
 </VirtualHost>
 
 <VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357>
@@ -64,7 +170,7 @@
 {%- include "apache/files/_ssl.conf" %}
 {%- include "apache/files/_locations.conf" %}
 
-    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+    WSGIDaemonProcess keystone-admin processes={{ grains.num_cpus }} threads=1 user=keystone group=keystone display-name=%{GROUP}
     WSGIProcessGroup keystone-admin
     WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
     WSGIApplicationGroup %{GLOBAL}
@@ -85,52 +191,22 @@
         </IfVersion>
     </Directory>
 
-    {% if server.websso is defined %}
-    {% if server.websso.shib_url_scheme is defined %}
-    ShibURLScheme {{ server.websso.shib_url_scheme }}
-    {%- endif %}
+    {% if server.get('federation', {}).saml2 is defined %}
     WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-admin/$1
-    <Location /Shibboleth.sso>
-      SetHandler shib
-    </Location>
-    <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    <LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
+    {{ setup_saml2() }}
     {%- endif %}
 
+    {% if server.get('federation', {}).oidc is defined %}
+    {{ setup_oidc() }}
+    {%- endif %}
+
+    Alias /identity /usr/bin/keystone-wsgi-public
+    <Location /identity>
+        SetHandler wsgi-script
+        Options +ExecCGI
+
+        WSGIProcessGroup keystone-public
+        WSGIApplicationGroup %{GLOBAL}
+        WSGIPassAuthorization On
+    </Location>
 </VirtualHost>
-
-Alias /identity /usr/bin/keystone-wsgi-public
-<Location /identity>
-    SetHandler wsgi-script
-    Options +ExecCGI
-
-    WSGIProcessGroup keystone-public
-    WSGIApplicationGroup %{GLOBAL}
-    WSGIPassAuthorization On
-</Location>
-
-Alias /identity_admin /usr/bin/keystone-wsgi-admin
-<Location /identity_admin>
-    SetHandler wsgi-script
-    Options +ExecCGI
-
-    WSGIProcessGroup keystone-admin
-    WSGIApplicationGroup %{GLOBAL}
-    WSGIPassAuthorization On
-</Location>
diff --git a/keystone/files/ocata/keystone.conf.Debian b/keystone/files/ocata/keystone.conf.Debian
index aa442f2..59b1cff 100644
--- a/keystone/files/ocata/keystone.conf.Debian
+++ b/keystone/files/ocata/keystone.conf.Debian
@@ -1,4 +1,4 @@
-{% from "keystone/map.jinja" import server with context %}
+{% from "keystone/map.jinja" import server, system_cacerts_file with context %}
 [DEFAULT]
 
 #
@@ -425,14 +425,15 @@
 # A URL representing the messaging driver to use and its full configuration.
 # (string value)
 #transport_url = rabbit://nova:3qVSI7a1m8AdaDQ7BpB0PJu4@192.168.0.4:5673/
+{%- set rabbit_port = server.message_queue.get('port', 5671 if server.message_queue.get('ssl',{}).get('enabled', False)  else 5672) %}
 {%- if server.message_queue.members is defined %}
 transport_url = rabbit://{% for member in server.message_queue.members -%}
-                             {{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ member.host }}:{{ member.get('port', 5672) }}
+                             {{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ member.host }}:{{ member.get('port', rabbit_port) }}
                              {%- if not loop.last -%},{%- endif -%}
                          {%- endfor -%}
                              /{{ server.message_queue.virtual_host }}
 {%- else %}
-transport_url = rabbit://{{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ server.message_queue.host }}:{{ server.message_queue.port }}/{{ server.message_queue.virtual_host }}
+transport_url = rabbit://{{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ server.message_queue.host }}:{{ rabbit_port }}/{{ server.message_queue.virtual_host }}
 {%- endif %}
 
 # DEPRECATED: The messaging driver to use, defaults to rabbit. Other drivers
@@ -441,7 +442,6 @@
 # Its value may be silently ignored in the future.
 # Reason: Replaced by [DEFAULT]/transport_url
 #rpc_backend = rabbit
-rpc_backend = rabbit
 {%- endif %}
 # The default exchange under which topics are scoped. May be overridden by an
 # exchange name specified in the transport_url option. (string value)
@@ -484,8 +484,12 @@
 {% if server.auth_methods is defined %}
 methods = {{ server.auth_methods |join(',') }}
 {%- endif %}
-{% if server.websso is defined %}
-{{ server.websso.protocol }} = keystone.auth.plugins.mapped.Mapped
+
+{%- if server.get('federation', {}).oidc is defined %}
+{{ server.federation.oidc.protocol }} = keystone.auth.plugins.mapped.Mapped
+{%- endif %}
+{%- if server.get('federation', {}).saml2 is defined %}
+{{ server.federation.saml2.protocol }} = keystone.auth.plugins.mapped.Mapped
 {%- endif %}
 
 # Entry point for the password auth plugin module in the
@@ -741,7 +745,7 @@
 # of keys should be managed separately and require different rotation policies.
 # Do not share this repository with the repository used to manage keys for
 # Fernet tokens. (string value)
-#key_repository = /etc/keystone/credential-keys/
+key_repository = {{ server.credential.location }}
 
 
 [database]
@@ -772,7 +776,7 @@
 # Deprecated group/name - [DATABASE]/sql_connection
 # Deprecated group/name - [sql]/connection
 #connection = <None>
-connection={{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}
+connection={{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
 
 # The SQLAlchemy connection string to use to connect to the slave database.
 # (string value)
@@ -974,6 +978,15 @@
 # Specifies the distribution of the keystone server. (string value)
 #Distribution = Ubuntu
 
+{%- if server.get('federation', {}).saml2 is defined %}
+[{{ server.federation.saml2.protocol }}]
+remote_id_attribute = {{ server.federation.saml2.remote_id_attribute }}
+{%- endif %}
+
+{%- if server.get('federation', {}).oidc is defined %}
+[{{ server.federation.oidc.protocol }}]
+remote_id_attribute = {{ server.federation.oidc.remote_id_attribute }}
+{%- endif %}
 
 [federation]
 
@@ -985,8 +998,8 @@
 # namespace. Keystone only provides a `sql` driver, so there is no reason to
 # set this option unless you are providing a custom entry point. (string value)
 #driver = sql
-{%- if server.get('websso', {}).federation_driver is defined %}
-driver = {{ server.websso.federation_driver }}
+{%- if server.get('federation', {}).federation_driver is defined %}
+driver = {{ server.federation.federation_driver }}
 {%- endif %}
 
 # Prefix to use when filtering environment variable names for federated
@@ -999,17 +1012,14 @@
 # `mod_auth_openidc`, this could be `HTTP_OIDC_ISS`. For `mod_auth_mellon`,
 # this could be `MELLON_IDP`. (string value)
 #remote_id_attribute = <None>
-{%- if server.websso is defined %}
-remote_id_attribute = {{ server.websso.remote_id_attribute }}
-{%- endif %}
 
 # An arbitrary domain name that is reserved to allow federated ephemeral users
 # to have a domain concept. Note that an admin will not be able to create a
 # domain with this name or update an existing domain to this name. You are not
 # advised to change this value unless you really have to. (string value)
 #federated_domain_name = Federated
-{%- if server.get('websso', {}).federated_domain_name is defined %}
-federated_domain_name = {{ server.websso.federated_domain_name }}
+{%- if server.get('federation', {}).federated_domain_name is defined %}
+federated_domain_name = {{ server.federation.federated_domain_name }}
 {%- endif %}
 
 # A list of trusted dashboard hosts. Before accepting a Single Sign-On request
@@ -1019,8 +1029,8 @@
 # trusted_dashboard=https://acme.example.com/auth/websso
 # trusted_dashboard=https://beta.example.com/auth/websso (multi valued)
 #trusted_dashboard =
-{%- if server.get('websso', {}).trusted_dashboard is defined %}
-{%- for dashboard in server.websso.trusted_dashboard %}
+{%- if server.get('federation', {}).trusted_dashboard is defined %}
+{%- for dashboard in server.federation.trusted_dashboard %}
 trusted_dashboard = {{ dashboard }}
 {%- endfor %}
 {%- endif %}
@@ -1952,6 +1962,27 @@
 # From oslo.messaging
 #
 
+
+{%- if server.notification %}
+
+{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbit_use_ssl=true
+
+{%- if server.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ server.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+
+{%- if server.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ server.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
+{%- endif %}
+
+{%- endif %}
+
 # Use durable queues in AMQP. (boolean value)
 # Deprecated group/name - [DEFAULT]/amqp_durable_queues
 # Deprecated group/name - [DEFAULT]/rabbit_durable_queues
@@ -2385,7 +2416,7 @@
 # The maximum body size for each  request, in bytes. (integer value)
 # Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
 # Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
 
 # DEPRECATED: The HTTP Header that will be used to determine what the original
 # request protocol scheme was, even if it was hidden by a SSL termination
@@ -3022,6 +3053,7 @@
 # Defaults to two days. (integer value)
 #allow_expired_window = 172800
 
+hash_algorithm = {{ server.hash_algorithm }}
 
 [tokenless_auth]
 
diff --git a/keystone/files/ocata/keystone.conf.RedHat b/keystone/files/ocata/keystone.conf.RedHat
index dd9a7c9..663854e 100644
--- a/keystone/files/ocata/keystone.conf.RedHat
+++ b/keystone/files/ocata/keystone.conf.RedHat
@@ -481,9 +481,9 @@
 # are being invoked to validate attributes in the request environment, it can
 # cause conflicts. (list value)
 #methods = external,password,token,oauth1,mapped
-{% if server.websso is defined %}
-methods = external,password,token,{{ server.websso.protocol }}
-{{ server.websso.protocol }} = keystone.auth.plugins.mapped.Mapped
+{% if server.federation is defined %}
+methods = external,password,token,{{ server.federation.protocol }}
+{{ server.federation.protocol }} = keystone.auth.plugins.mapped.Mapped
 {%- endif %}
 
 # Entry point for the password auth plugin module in the
@@ -964,8 +964,8 @@
 # namespace. Keystone only provides a `sql` driver, so there is no reason to
 # set this option unless you are providing a custom entry point. (string value)
 #driver = sql
-{%- if server.get('websso', {}).federation_driver is defined %}
-driver = {{ server.websso.federation_driver }}
+{%- if server.get('federation', {}).federation_driver is defined %}
+driver = {{ server.federation.federation_driver }}
 {%- endif %}
 
 # Prefix to use when filtering environment variable names for federated
@@ -978,8 +978,8 @@
 # `mod_auth_openidc`, this could be `HTTP_OIDC_ISS`. For `mod_auth_mellon`,
 # this could be `MELLON_IDP`. (string value)
 #remote_id_attribute = <None>
-{%- if server.websso is defined %}
-remote_id_attribute = {{ server.websso.remote_id_attribute }}
+{%- if server.federation is defined %}
+remote_id_attribute = {{ server.federation.remote_id_attribute }}
 {%- endif %}
 
 # An arbitrary domain name that is reserved to allow federated ephemeral users
@@ -987,8 +987,8 @@
 # domain with this name or update an existing domain to this name. You are not
 # advised to change this value unless you really have to. (string value)
 #federated_domain_name = Federated
-{%- if server.get('websso', {}).federated_domain_name is defined %}
-federated_domain_name = {{ server.websso.federated_domain_name }}
+{%- if server.get('federation', {}).federated_domain_name is defined %}
+federated_domain_name = {{ server.federation.federated_domain_name }}
 {%- endif %}
 
 # A list of trusted dashboard hosts. Before accepting a Single Sign-On request
@@ -998,8 +998,8 @@
 # trusted_dashboard=https://acme.example.com/auth/websso
 # trusted_dashboard=https://beta.example.com/auth/websso (multi valued)
 #trusted_dashboard =
-{%- if server.get('websso', {}).trusted_dashboard is defined %}
-{%- for dashboard in server.websso.trusted_dashboard %}
+{%- if server.get('federation', {}).trusted_dashboard is defined %}
+{%- for dashboard in server.federation.trusted_dashboard %}
 trusted_dashboard = {{ dashboard }}
 {%- endfor %}
 {%- endif %}
diff --git a/keystone/files/ocata/policy-v2.json b/keystone/files/ocata/policy-v2.json
deleted file mode 100644
index ddf2396..0000000
--- a/keystone/files/ocata/policy-v2.json
+++ /dev/null
@@ -1,199 +0,0 @@
-{
-    "admin_required": "role:admin or is_admin:1",
-    "service_role": "role:service",
-    "service_or_admin": "rule:admin_required or rule:service_role",
-    "owner" : "user_id:%(user_id)s",
-    "admin_or_owner": "rule:admin_required or rule:owner",
-    "token_subject": "user_id:%(target.token.user_id)s",
-    "admin_or_token_subject": "rule:admin_required or rule:token_subject",
-    "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
-
-    "default": "rule:admin_required",
-
-    "identity:get_region": "",
-    "identity:list_regions": "",
-    "identity:create_region": "rule:admin_required",
-    "identity:update_region": "rule:admin_required",
-    "identity:delete_region": "rule:admin_required",
-
-    "identity:get_service": "rule:admin_required",
-    "identity:list_services": "rule:admin_required",
-    "identity:create_service": "rule:admin_required",
-    "identity:update_service": "rule:admin_required",
-    "identity:delete_service": "rule:admin_required",
-
-    "identity:get_endpoint": "rule:admin_required",
-    "identity:list_endpoints": "rule:admin_required",
-    "identity:create_endpoint": "rule:admin_required",
-    "identity:update_endpoint": "rule:admin_required",
-    "identity:delete_endpoint": "rule:admin_required",
-
-    "identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s",
-    "identity:list_domains": "rule:admin_required",
-    "identity:create_domain": "rule:admin_required",
-    "identity:update_domain": "rule:admin_required",
-    "identity:delete_domain": "rule:admin_required",
-
-    "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
-    "identity:list_projects": "rule:admin_required",
-    "identity:list_user_projects": "rule:admin_or_owner",
-    "identity:create_project": "rule:admin_required",
-    "identity:update_project": "rule:admin_required",
-    "identity:delete_project": "rule:admin_required",
-
-    "identity:get_user": "rule:admin_or_owner",
-    "identity:list_users": "rule:admin_required",
-    "identity:create_user": "rule:admin_required",
-    "identity:update_user": "rule:admin_required",
-    "identity:delete_user": "rule:admin_required",
-    "identity:change_password": "rule:admin_or_owner",
-
-    "identity:get_group": "rule:admin_required",
-    "identity:list_groups": "rule:admin_required",
-    "identity:list_groups_for_user": "rule:admin_or_owner",
-    "identity:create_group": "rule:admin_required",
-    "identity:update_group": "rule:admin_required",
-    "identity:delete_group": "rule:admin_required",
-    "identity:list_users_in_group": "rule:admin_required",
-    "identity:remove_user_from_group": "rule:admin_required",
-    "identity:check_user_in_group": "rule:admin_required",
-    "identity:add_user_to_group": "rule:admin_required",
-
-    "identity:get_credential": "rule:admin_required",
-    "identity:list_credentials": "rule:admin_required",
-    "identity:create_credential": "rule:admin_required",
-    "identity:update_credential": "rule:admin_required",
-    "identity:delete_credential": "rule:admin_required",
-
-    "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-    "identity:ec2_list_credentials": "rule:admin_or_owner",
-    "identity:ec2_create_credential": "rule:admin_or_owner",
-    "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-
-    "identity:get_role": "rule:admin_required",
-    "identity:list_roles": "rule:admin_required",
-    "identity:create_role": "rule:admin_required",
-    "identity:update_role": "rule:admin_required",
-    "identity:delete_role": "rule:admin_required",
-    "identity:get_domain_role": "rule:admin_required",
-    "identity:list_domain_roles": "rule:admin_required",
-    "identity:create_domain_role": "rule:admin_required",
-    "identity:update_domain_role": "rule:admin_required",
-    "identity:delete_domain_role": "rule:admin_required",
-
-    "identity:get_implied_role": "rule:admin_required ",
-    "identity:list_implied_roles": "rule:admin_required",
-    "identity:create_implied_role": "rule:admin_required",
-    "identity:delete_implied_role": "rule:admin_required",
-    "identity:list_role_inference_rules": "rule:admin_required",
-    "identity:check_implied_role": "rule:admin_required",
-
-    "identity:check_grant": "rule:admin_required",
-    "identity:list_grants": "rule:admin_required",
-    "identity:create_grant": "rule:admin_required",
-    "identity:revoke_grant": "rule:admin_required",
-
-    "identity:list_role_assignments": "rule:admin_required",
-    "identity:list_role_assignments_for_tree": "rule:admin_required",
-
-    "identity:get_policy": "rule:admin_required",
-    "identity:list_policies": "rule:admin_required",
-    "identity:create_policy": "rule:admin_required",
-    "identity:update_policy": "rule:admin_required",
-    "identity:delete_policy": "rule:admin_required",
-
-    "identity:check_token": "rule:admin_or_token_subject",
-    "identity:validate_token": "rule:service_admin_or_token_subject",
-    "identity:validate_token_head": "rule:service_or_admin",
-    "identity:revocation_list": "rule:service_or_admin",
-    "identity:revoke_token": "rule:admin_or_token_subject",
-
-    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
-    "identity:list_trusts": "",
-    "identity:list_roles_for_trust": "",
-    "identity:get_role_for_trust": "",
-    "identity:delete_trust": "",
-
-    "identity:create_consumer": "rule:admin_required",
-    "identity:get_consumer": "rule:admin_required",
-    "identity:list_consumers": "rule:admin_required",
-    "identity:delete_consumer": "rule:admin_required",
-    "identity:update_consumer": "rule:admin_required",
-
-    "identity:authorize_request_token": "rule:admin_required",
-    "identity:list_access_token_roles": "rule:admin_required",
-    "identity:get_access_token_role": "rule:admin_required",
-    "identity:list_access_tokens": "rule:admin_required",
-    "identity:get_access_token": "rule:admin_required",
-    "identity:delete_access_token": "rule:admin_required",
-
-    "identity:list_projects_for_endpoint": "rule:admin_required",
-    "identity:add_endpoint_to_project": "rule:admin_required",
-    "identity:check_endpoint_in_project": "rule:admin_required",
-    "identity:list_endpoints_for_project": "rule:admin_required",
-    "identity:remove_endpoint_from_project": "rule:admin_required",
-
-    "identity:create_endpoint_group": "rule:admin_required",
-    "identity:list_endpoint_groups": "rule:admin_required",
-    "identity:get_endpoint_group": "rule:admin_required",
-    "identity:update_endpoint_group": "rule:admin_required",
-    "identity:delete_endpoint_group": "rule:admin_required",
-    "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
-    "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
-    "identity:get_endpoint_group_in_project": "rule:admin_required",
-    "identity:list_endpoint_groups_for_project": "rule:admin_required",
-    "identity:add_endpoint_group_to_project": "rule:admin_required",
-    "identity:remove_endpoint_group_from_project": "rule:admin_required",
-
-    "identity:create_identity_provider": "rule:admin_required",
-    "identity:list_identity_providers": "rule:admin_required",
-    "identity:get_identity_providers": "rule:admin_required",
-    "identity:update_identity_provider": "rule:admin_required",
-    "identity:delete_identity_provider": "rule:admin_required",
-
-    "identity:create_protocol": "rule:admin_required",
-    "identity:update_protocol": "rule:admin_required",
-    "identity:get_protocol": "rule:admin_required",
-    "identity:list_protocols": "rule:admin_required",
-    "identity:delete_protocol": "rule:admin_required",
-
-    "identity:create_mapping": "rule:admin_required",
-    "identity:get_mapping": "rule:admin_required",
-    "identity:list_mappings": "rule:admin_required",
-    "identity:delete_mapping": "rule:admin_required",
-    "identity:update_mapping": "rule:admin_required",
-
-    "identity:create_service_provider": "rule:admin_required",
-    "identity:list_service_providers": "rule:admin_required",
-    "identity:get_service_provider": "rule:admin_required",
-    "identity:update_service_provider": "rule:admin_required",
-    "identity:delete_service_provider": "rule:admin_required",
-
-    "identity:get_auth_catalog": "",
-    "identity:get_auth_projects": "",
-    "identity:get_auth_domains": "",
-
-    "identity:list_projects_for_user": "",
-    "identity:list_domains_for_user": "",
-
-    "identity:list_revoke_events": "rule:service_or_admin",
-
-    "identity:create_policy_association_for_endpoint": "rule:admin_required",
-    "identity:check_policy_association_for_endpoint": "rule:admin_required",
-    "identity:delete_policy_association_for_endpoint": "rule:admin_required",
-    "identity:create_policy_association_for_service": "rule:admin_required",
-    "identity:check_policy_association_for_service": "rule:admin_required",
-    "identity:delete_policy_association_for_service": "rule:admin_required",
-    "identity:create_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:check_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:get_policy_for_endpoint": "rule:admin_required",
-    "identity:list_endpoints_for_policy": "rule:admin_required",
-
-    "identity:create_domain_config": "rule:admin_required",
-    "identity:get_domain_config": "rule:admin_required",
-    "identity:get_security_compliance_domain_config": "",
-    "identity:update_domain_config": "rule:admin_required",
-    "identity:delete_domain_config": "rule:admin_required",
-    "identity:get_domain_config_default": "rule:admin_required"
-}
diff --git a/keystone/files/ocata/wsgi-keystone.conf b/keystone/files/ocata/wsgi-keystone.conf
index 763672d..3c18ef8 100644
--- a/keystone/files/ocata/wsgi-keystone.conf
+++ b/keystone/files/ocata/wsgi-keystone.conf
@@ -1,5 +1,122 @@
 {%- from "keystone/map.jinja" import server with context %}
 {%- set site = salt['pillar.get']('apache:server:site:'+site_name) %}
+{% macro setup_oidc() -%}
+    SetEnv HTTP_OIDC_ISS {{ server.federation.oidc.remote_id_attribute_value }}
+    {% if server.federation.oidc.oidc_claim_prefix is defined %}
+    OIDCClaimPrefix "{{ server.federation.oidc.oidc_claim_prefix }}"
+    {%- endif %}
+    OIDCClientID "{{ server.federation.oidc.oidc_client_id}}"
+    {% if server.federation.oidc.oidc_client_secret is defined %}
+    OIDCClientSecret "{{ server.federation.oidc.oidc_client_secret }}"
+    {%- endif %}
+    OIDCCryptoPassphrase "{{ server.federation.oidc.oidc_crypto_passphrase }}"
+    OIDCRedirectURI "{{ server.federation.oidc.oidc_redirect_uri }}"
+    {% if server.federation.oidc.oidc_provider_metadata_url is defined %}
+    OIDCProviderMetadataURL "{{ server.federation.oidc.oidc_provider_metadata_url }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_response_type is defined %}
+    OIDCResponseType "{{ server.federation.oidc.oidc_response_type }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_scope is defined %}
+    OIDCScope "{{ server.federation.oidc.oidc_scope }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_ssl_validate_server is defined %}
+    OIDCSSLValidateServer "{{ server.federation.oidc.oidc_ssl_validate_server }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_oauth_ssl_validate_server is defined %}
+    OIDCOAuthSSLValidateServer "{{ server.federation.oidc.oidc_oauth_ssl_validate_server }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_oauth_introspection_endpoint is defined %}
+    OIDCOAuthIntrospectionEndpoint "{{ server.federation.oidc.oidc_oauth_introspection_endpoint }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_oauth_introspection_token_param_name is defined %}
+    OIDCOAuthIntrospectionTokenParamName "{{ server.federation.oidc.oidc_oauth_introspection_token_param_name }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_oauth_remote_user_claim is defined %}
+    OIDCOAuthRemoteUserClaim "{{ server.federation.oidc.oidc_oauth_remote_user_claim }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_oauth_verify_jwks_uri is defined %}
+    OIDCOAuthVerifyJwksUri "{{ server.federation.oidc.oidc_oauth_verify_jwks_uri }}"
+    {%- endif %}
+    {% if server.federation.oidc.odic_token_iat_slack is defined %}
+    OIDCIDTokenIatSlack "{{ server.federation.oidc.odic_token_iat_slack }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_provider_issuer is defined %}
+    OIDCProviderIssuer "{{ server.federation.oidc.oidc_provider_issuer }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_provider_authorization_endpoint is defined %}
+    OIDCProviderAuthorizationEndpoint "{{ server.federation.oidc.oidc_provider_authorization_endpoint }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_provider_token_endpoint is defined %}
+    OIDCProviderTokenEndpoint "{{ server.federation.oidc.oidc_provider_token_endpoint }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_provider_token_endpoint_auth is defined %}
+    OIDCProviderTokenEndpointAuth "{{ server.federation.oidc.oidc_provider_token_endpoint_auth }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_provider_user_info_endpoint is defined %}
+    OIDCProviderUserInfoEndpoint "{{ server.federation.oidc.oidc_provider_user_info_endpoint }}"
+    {%- endif %}
+    {% if server.federation.oidc.oidc_provider_jwks_uri is defined %}
+    OIDCProviderJwksUri "{{ server.federation.oidc.oidc_provider_jwks_uri }}"
+    {%- endif %}
+    {%- if server.federation.oidc.oidc_oauth_verify_shared_keys is defined %}
+    {%- set shared_keys_list = [] %}
+    {%- for shared_key_def in server.federation.oidc.oidc_oauth_verify_shared_keys %}
+    {%- do shared_keys_list.append("\""+shared_key_def.type+"#"+shared_key_def.kid+"#"+shared_key_def.key+"\"") %}
+    {%- endfor %}
+    OIDCOAuthVerifySharedKeys {{ shared_keys_list|join(" ") }}
+    {%- endif %}
+    {%- if server.federation.oidc.oidc_oauth_verify_cert_files is defined %}
+    {%- set cert_files_list = [] %}
+    {%- for cert_file_def in server.federation.oidc.oidc_oauth_verify_cert_files %}
+    {%- do cert_files_list.append("\""+cert_file_def.kid+"#"+cert_file_def.filename+"\"") %}
+    {%- endfor %}
+    OIDCOAuthVerifyCertFiles {{ cert_files_list|join(" ") }}
+    {%- endif %}
+
+    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
+      AuthType oauth20
+      Require valid-user
+    </LocationMatch>
+    <LocationMatch "/v3/auth/OS-FEDERATION/websso/oidc">
+      AuthType openid-connect
+      Require valid-user
+    </LocationMatch>
+    <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/oidc/websso">
+      AuthType openid-connect
+      Require valid-user
+    </LocationMatch>
+{% endmacro -%}
+{% macro setup_saml2() -%}
+    {% if server.federation.saml2.shib_url_scheme is defined %}
+    ShibURLScheme {{ server.federation.saml2.shib_url_scheme }}
+    {%- endif %}
+    {% if server.federation.saml2.shib_compat_valid_user is defined %}
+    ShibCompatValidUser {{ server.federation.saml2.shib_compat_valid_user }}
+    {%- endif %}
+    <Location /Shibboleth.sso>
+      SetHandler shib
+    </Location>
+    <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
+      ShibRequestSetting requireSession 1
+      AuthType shibboleth
+      ShibExportAssertion Off
+      Require valid-user
+    </LocationMatch>
+    <LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
+      ShibRequestSetting requireSession 1
+      AuthType shibboleth
+      ShibExportAssertion Off
+      Require valid-user
+    </LocationMatch>
+    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
+      ShibRequestSetting requireSession 1
+      AuthType shibboleth
+      ShibExportAssertion Off
+      Require valid-user
+    </LocationMatch>
+{% endmacro -%}
+
 Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000
 Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357
 
@@ -8,7 +125,7 @@
 {%- include "apache/files/_ssl.conf" %}
 {%- include "apache/files/_locations.conf" %}
 
-    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+    WSGIDaemonProcess keystone-public processes={{ grains.num_cpus }} threads=1 user=keystone group=keystone display-name=%{GROUP}
     WSGIProcessGroup keystone-public
     WSGIScriptAlias / /usr/bin/keystone-wsgi-public
     WSGIApplicationGroup %{GLOBAL}
@@ -29,34 +146,23 @@
         </IfVersion>
     </Directory>
 
-    {% if server.websso is defined %}
-    {% if server.websso.shib_url_scheme is defined %}
-    ShibURLScheme {{ server.websso.shib_url_scheme }}
-    {%- endif %}
+    {% if server.get('federation', {}).saml2 is defined %}
     WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-public/$1
-    <Location /Shibboleth.sso>
-      SetHandler shib
-    </Location>
-    <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    <LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
+    {{ setup_saml2() }}
+    {%- endif %}
+    {% if server.get('federation', {}).oidc is defined %}
+    {{ setup_oidc() }}
     {%- endif %}
 
+    Alias /identity_admin /usr/bin/keystone-wsgi-admin
+    <Location /identity_admin>
+        SetHandler wsgi-script
+        Options +ExecCGI
+
+        WSGIProcessGroup keystone-admin
+        WSGIApplicationGroup %{GLOBAL}
+        WSGIPassAuthorization On
+    </Location>
 </VirtualHost>
 
 <VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357>
@@ -64,7 +170,7 @@
 {%- include "apache/files/_ssl.conf" %}
 {%- include "apache/files/_locations.conf" %}
 
-    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+    WSGIDaemonProcess keystone-admin processes={{ grains.num_cpus }} threads=1 user=keystone group=keystone display-name=%{GROUP}
     WSGIProcessGroup keystone-admin
     WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
     WSGIApplicationGroup %{GLOBAL}
@@ -85,52 +191,22 @@
         </IfVersion>
     </Directory>
 
-    {% if server.websso is defined %}
-    {% if server.websso.shib_url_scheme is defined %}
-    ShibURLScheme {{ server.websso.shib_url_scheme }}
-    {%- endif %}
+    {% if server.get('federation', {}).saml2 is defined %}
     WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-admin/$1
-    <Location /Shibboleth.sso>
-      SetHandler shib
-    </Location>
-    <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    <LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
-    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
-      ShibRequestSetting requireSession 1
-      AuthType shibboleth
-      ShibExportAssertion Off
-      Require valid-user
-    </LocationMatch>
+    {{ setup_saml2() }}
     {%- endif %}
 
+    {% if server.get('federation', {}).oidc is defined %}
+    {{ setup_oidc() }}
+    {%- endif %}
+
+    Alias /identity /usr/bin/keystone-wsgi-public
+    <Location /identity>
+        SetHandler wsgi-script
+        Options +ExecCGI
+
+        WSGIProcessGroup keystone-public
+        WSGIApplicationGroup %{GLOBAL}
+        WSGIPassAuthorization On
+    </Location>
 </VirtualHost>
-
-Alias /identity /usr/bin/keystone-wsgi-public
-<Location /identity>
-    SetHandler wsgi-script
-    Options +ExecCGI
-
-    WSGIProcessGroup keystone-public
-    WSGIApplicationGroup %{GLOBAL}
-    WSGIPassAuthorization On
-</Location>
-
-Alias /identity_admin /usr/bin/keystone-wsgi-admin
-<Location /identity_admin>
-    SetHandler wsgi-script
-    Options +ExecCGI
-
-    WSGIProcessGroup keystone-admin
-    WSGIApplicationGroup %{GLOBAL}
-    WSGIPassAuthorization On
-</Location>
diff --git a/keystone/files/salt-minion.conf b/keystone/files/salt-minion.conf
deleted file mode 100644
index 19c5af9..0000000
--- a/keystone/files/salt-minion.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-{%- if pillar.keystone.get('server', {'enabled': False}).enabled -%}
-{%- from "keystone/map.jinja" import server with context -%}
-keystone.token: '{{ server.service_token }}'
-keystone.endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
-{%- else -%}
-{%- from "keystone/map.jinja" import client with context -%}
-keystone.user: '{{ client.server.user }}'
-keystone.password: '{{ client.server.password }}'
-keystone.tenant: '{{ client.server.tenant }}'
-keystone.auth_url: 'http://{{ client.server.host }}:{{ client.server.public_port }}/v2.0/'
-{%- endif %}
-
-{#-
-vim: syntax=jinja
--#}
diff --git a/keystone/map.jinja b/keystone/map.jinja
index 361bba9..35a2613 100644
--- a/keystone/map.jinja
+++ b/keystone/map.jinja
@@ -1,3 +1,7 @@
+{%- set system_cacerts_file = salt['grains.filter_by']({
+    'Debian': '/etc/ssl/certs/ca-certificates.crt',
+    'RedHat': '/etc/pki/tls/certs/ca-bundle.crt'
+})%}
 
 {% set server = salt['grains.filter_by']({
     'Debian': {
@@ -6,6 +10,8 @@
         'version': 'icehouse',
         'api_version': '2',
         'cors': {},
+        'hash_algorithm': 'sha256',
+        'max_request_body_size': '114688',
         'tokens': {
           'engine': 'database',
           'expiration': '86400'
@@ -20,6 +26,8 @@
         'api_version': '2',
         'version': 'icehouse',
         'cors': {},
+        'hash_algorithm': 'sha256',
+        'max_request_body_size': '114688',
         'tokens': {
           'engine': 'database',
           'expiration': '86400'
@@ -50,3 +58,13 @@
         'pkgs': [],
     },
 }, merge=pillar.keystone.get('control', {})) %}
+
+{% set monitoring = salt['grains.filter_by']({
+    'default': {
+        'error_log_rate': 0.2,
+        'failed_auths': {
+            'percentage': 50,
+            'all_auths_rate': 0.1,
+        },
+    },
+}, grain='os_family', merge=salt['pillar.get']('keystone:monitoring')) %}
diff --git a/keystone/meta/grafana.yml b/keystone/meta/grafana.yml
index 1f3370f..75c3ee7 100644
--- a/keystone/meta/grafana.yml
+++ b/keystone/meta/grafana.yml
@@ -1,8 +1,14 @@
 dashboard:
-  keystone:
+  keystone_prometheus:
+    datasource: prometheus
+    format: json
+    template: keystone/files/grafana_dashboards/keystone_prometheus.json
+  keystone_influxdb:
+    datasource: influxdb
     format: json
     template: keystone/files/grafana_dashboards/keystone_influxdb.json
   main:
+    datasource: influxdb
     row:
       ost-control-plane:
         title: OpenStack Control Plane
@@ -18,6 +24,7 @@
                 rawQuery: true
                 query: SELECT last(value) FROM cluster_status WHERE cluster_name = 'keystone' AND environment_label = '$environment' AND $timeFilter GROUP BY time($interval) fill(null)
   service_level:
+    datasource: influxdb
     row:
       keystone-service-level:
         title: Keystone Service Levels
diff --git a/keystone/meta/prometheus.yml b/keystone/meta/prometheus.yml
new file mode 100644
index 0000000..33a5b3c
--- /dev/null
+++ b/keystone/meta/prometheus.yml
@@ -0,0 +1,42 @@
+{%- if pillar.keystone.server is defined and pillar.keystone.server.get('enabled') %}
+{%- from "keystone/map.jinja" import monitoring with context %}
+{% raw %}
+server:
+  alert:
+    KeystoneAPIDown:
+      if: >-
+        openstack_api_check_status{service=~"keystone.*"} == 0
+      for: 2m
+      labels:
+        severity: down
+        service: "{{ $labels.service }}"
+      annotations:
+        summary: "Endpoint check for '{{ $labels.service }}' is down"
+        description: >-
+            Endpoint check for '{{ $labels.service }}' is down for 2 minutes
+    KeystoneErrorLogsTooHigh:
+{%- endraw %}
+      {%- set log_threshold = monitoring.error_log_rate|float %}
+      if: >-
+        sum(rate(log_messages{service="keystone",level=~"error|emergency|fatal"}[5m])) without (level) > {{ log_threshold }}
+{%- raw %}
+      labels:
+        severity: warning
+        service: "{{ $labels.service }}"
+      annotations:
+        summary: 'Too many errors in {{ $labels.service }} logs'
+        description: 'The rate of errors in {{ $labels.service }} logs over the last 5 minutes is too high on node {{ $labels.host }} (current value={{ $value }}, threshold={%- endraw %}{{ log_threshold }}).'
+    KeystoneFailedAuthsTooHigh:
+      {%- set auth_threshold = monitoring.failed_auths.percentage %}
+      {%- set rate_threshold = monitoring.failed_auths.all_auths_rate|float %}
+      if: >-
+        rate(authentications_total_failed[5m]) > rate(authentications_total_all[5m]) * {{ auth_threshold }} / 100 and rate(authentications_total_all[5m]) > {{ rate_threshold }}
+{%- raw %}
+      labels:
+        severity: warning
+        service: keystone
+      annotations:
+        summary: 'Too many failed authentications in Keystone'
+        description: 'The rate of failed authentications in Keystone over the last 5 minutes is too high (current value={{ $value }}, threshold={%- endraw %}{{ auth_threshold }}).'
+
+{%- endif %}
diff --git a/keystone/meta/salt.yml b/keystone/meta/salt.yml
index c5f5e3a..a729abd 100644
--- a/keystone/meta/salt.yml
+++ b/keystone/meta/salt.yml
@@ -7,3 +7,54 @@
   control:
     priority: 520
 
+minion:
+  {%- if pillar.get('keystone', {}).get('server') or pillar.get('keystone', {}).get('client') %}
+    {%- from "keystone/map.jinja" import server with context %}
+    {%- from "keystone/map.jinja" import client with context %}
+
+  keystone:
+    {%- if pillar.keystone.get('server', {'enabled': False}).enabled %}
+    keystone.token: '{{ server.service_token }}'
+    keystone.endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
+    {%- else %}
+      {%- if client.get('server', {}).get('user') %}
+    keystone.user: '{{ client.server.user }}'
+    keystone.password: '{{ client.server.password }}'
+    keystone.tenant: '{{ client.server.tenant }}'
+    keystone.auth_url: 'http://{{ client.server.host }}:{{ client.server.public_port }}/v2.0/'
+      {%- endif %}
+    {%- endif %}
+
+    {#- Profile based metadata #}
+    {%- for profile_name, identity in client.get('server', {}).iteritems() %}
+      {%- if identity.admin.get('protocol', 'http') == 'http' %}
+        {%- set protocol = 'http' %}
+      {%- else %}
+        {%- set protocol = 'https' %}
+      {%- endif %}
+
+      {%- if identity.admin.get('api_version', '2') == '3' %}
+        {%- set version = "v3" %}
+      {%- else %}
+        {%- set version = "v2.0" %}
+      {%- endif %}
+
+      {%- if identity.admin.user is defined %}
+        {%- if identity.admin.token is not defined %}
+
+    {{ profile_name }}:
+      keystone.user: '{{ identity.admin.user }}'
+      keystone.password: '{{ identity.admin.password }}'
+      keystone.tenant: '{{ identity.admin.project }}'
+      keystone.auth_url: '{{ protocol+'://'+identity.admin.host+':'+identity.admin.port|string+'/'+version }}'
+      keystone.region_name: '{{ identity.admin.region_name }}'
+      keystone.use_keystoneauth: {{ identity.admin.get('use_keystoneauth', false) }}
+
+        {%- endif %}
+      {%- endif %}
+    {%- endfor %}
+  {%- endif %}
+
+{#-
+vim: syntax=jinja
+-#}
diff --git a/keystone/meta/telegraf.yml b/keystone/meta/telegraf.yml
new file mode 100644
index 0000000..6b92366
--- /dev/null
+++ b/keystone/meta/telegraf.yml
@@ -0,0 +1,23 @@
+{%- from "keystone/map.jinja" import server with context %}
+{%- if server is defined and server.get('enabled', False) %}
+remote_agent:
+  input:
+    openstack:
+      interval: '1m'
+      project: "{{ server.admin_tenant }}"
+      tenant: "{{ server.admin_tenant }}"
+      region: "{{ server.region }}"
+      username: "{{ server.admin_name }}"
+      password: "{{ server.admin_password }}"
+      identity_endpoint: "http://{{ server.bind.private_address|replace('0.0.0.0', '127.0.0.1') }}:{{ server.bind.private_port }}/v{% if server.get('api_version', 2)|int == 2 %}2.0{% else %}3{% endif %}"
+      monitor_agents: "true"
+agent:
+  input:
+    http_response:
+      keystone-public-api:
+        address: "http://{{ server.bind.address|replace('0.0.0.0', '127.0.0.1') }}:{{ server.bind.public_port }}/"
+        expected_code: 300
+      keystone-admin-api:
+        address: "http://{{ server.bind.address|replace('0.0.0.0', '127.0.0.1') }}:{{ server.bind.private_port }}/"
+        expected_code: 300
+{%- endif %}
diff --git a/keystone/server.sls b/keystone/server.sls
index 7452a80..97fa2e0 100644
--- a/keystone/server.sls
+++ b/keystone/server.sls
@@ -1,18 +1,37 @@
-{%- from "keystone/map.jinja" import server with context %}
+{%- from "keystone/map.jinja" import server, system_cacerts_file with context %}
 {%- if server.enabled %}
 
 keystone_packages:
   pkg.installed:
   - names: {{ server.pkgs }}
 
+{%- set ldap = {'enabled': False} %}
+{%- if server.get('backend') == 'ldap' %}
+  {%- do ldap.update({'enabled': True}) %}
+{%- else %}
+  {%- for domain in server.get('domain', {}).itervalues() %}
+    {%- if domain.get('ldap') %}
+      {%- do ldap.update({'enabled': True}) %}
+    {%- endif %}
+  {%- endfor %}
+{%- endif %}
+
+{%- if ldap.enabled %}
+keystone_ldap_packages:
+  pkg.installed:
+  - names:
+    - python-ldap
+    - python-ldappool
+{% endif %}
+
 {%- if server.service_name in ['apache2', 'httpd'] %}
-{%- if not grains.get('noservices', False) %}
+{%- set keystone_service = 'apache_service' %}
+
 purge_not_needed_configs:
   file.absent:
     - names: ['/etc/apache2/sites-enabled/keystone.conf', '/etc/apache2/sites-enabled/wsgi-keystone.conf']
     - watch_in:
-      - service: keystone_service
-{%- endif %}
+      - service: {{ keystone_service }}
 
 include:
 - apache
@@ -28,14 +47,11 @@
     - watch:
       - pkg: keystone_packages
 
-{%- endif %}
+{%- else %}
 
-keystone_salt_config:
-  file.managed:
-    - name: /etc/salt/minion.d/keystone.conf
-    - template: jinja
-    - source: salt://keystone/files/salt-minion.conf
-    - mode: 600
+{%- set keystone_service = 'keystone_service' %}
+
+{%- endif %}
 
 {%- if not salt['user.info']('keystone') %}
 
@@ -67,45 +83,78 @@
   - template: jinja
   - require:
     - pkg: keystone_packages
-  {%- if not grains.get('noservices', False) %}
   - watch_in:
-    - service: keystone_service
-  {%- endif %}
+    - service: {{ keystone_service }}
 
-{% if server.websso is defined %}
+{% if server.federation is defined %}
 
 /etc/keystone/sso_callback_template.html:
   file.managed:
   - source: salt://keystone/files/sso_callback_template.html
   - require:
     - pkg: keystone_packages
-  {%- if not grains.get('noservices', False) %}
   - watch_in:
-    - service: keystone_service
-  {%- endif %}
+    - service: {{ keystone_service }}
 
 {%- endif %}
 
 /etc/keystone/keystone-paste.ini:
   file.managed:
   - source: salt://keystone/files/{{ server.version }}/keystone-paste.ini.{{ grains.os_family }}
+  - user: keystone
+  - group: keystone
   - template: jinja
   - require:
     - pkg: keystone_packages
-  {%- if not grains.get('noservices', False) %}
   - watch_in:
-    - service: keystone_service
-  {%- endif %}
+    - service: {{ keystone_service }}
 
 /etc/keystone/policy.json:
   file.managed:
-  - source: salt://keystone/files/{{ server.version }}/policy-v{{ server.api_version }}.json
+  - user: keystone
+  - group: keystone
   - require:
     - pkg: keystone_packages
-  {%- if not grains.get('noservices', False) %}
   - watch_in:
-    - service: keystone_service
-  {%- endif %}
+    - service: {{ keystone_service }}
+
+/etc/keystone/logging.conf:
+  file.managed:
+  - user: keystone
+  - group: keystone
+  - require:
+    - pkg: keystone_packages
+  - watch_in:
+    - service: {{ keystone_service }}
+
+{%- for name, rule in server.get('policy', {}).iteritems() %}
+
+{%- if rule != None %}
+
+rule_{{ name }}_present:
+  keystone_policy.rule_present:
+  - path: /etc/keystone/policy.json
+  - name: {{ name }}
+  - rule: {{ rule }}
+  - require:
+    - pkg: keystone_packages
+  - watch_in:
+    - service: {{ keystone_service }}
+
+{%- else %}
+
+rule_{{ name }}_absent:
+  keystone_policy.rule_absent:
+  - path: /etc/keystone/policy.json
+  - name: {{ name }}
+  - require:
+    - pkg: keystone_packages
+  - watch_in:
+    - service: {{ keystone_service }}
+
+{%- endif %}
+
+{%- endfor %}
 
 {%- if server.get("domain", {}) %}
 
@@ -123,10 +172,8 @@
     - template: jinja
     - require:
       - file: /etc/keystone/domains
-    {%- if not grains.get('noservices', False) %}
     - watch_in:
-      - service: keystone_service
-    {%- endif %}
+      - service: {{ keystone_service }}
     - defaults:
         domain_name: {{ domain_name }}
 
@@ -140,22 +187,19 @@
       - file: /etc/keystone/domains
     {%- if not grains.get('noservices', False) %}
     - watch_in:
-      - service: keystone_service
+      - service: {{ keystone_service }}
     {%- endif %}
 
 {%- endif %}
 
-{%- if not grains.get('noservices', False) %}
 keystone_domain_{{ domain_name }}:
   cmd.run:
     - name: source /root/keystonercv3 && openstack domain create --description "{{ domain.description }}" {{ domain_name }}
-    - unless: source /root/keystonercv3 && openstack domain list | grep " {{ domain_name }}"
+    - unless: {% if grains.get('noservices') %}/bin/true{% else %}source /root/keystonercv3 && openstack domain list | grep " {{ domain_name }}"{% endif %}
+    - shell: /bin/bash
     - require:
       - file: /root/keystonercv3
-    {%- if not grains.get('noservices', False) %}
-      - service: keystone_service
-    {%- endif %}
-{%- endif %}
+      - service: {{ keystone_service }}
 
 {%- endfor %}
 
@@ -169,19 +213,23 @@
     - contents_pillar: keystone:server:ldap:tls:cacert
     - require:
       - pkg: keystone_packages
-    {%- if not grains.get('noservices', False) %}
     - watch_in:
-      - service: keystone_service
-    {%- endif %}
+      - service: {{ keystone_service }}
 
 {%- endif %}
 
-{%- if not grains.get('noservices', False) %}
+{%- if server.service_name not in ['apache2', 'httpd'] %}
 keystone_service:
   service.running:
   - name: {{ server.service_name }}
   - enable: True
+  {%- if grains.get('noservices') %}
+  - onlyif: /bin/false
+  {%- endif %}
   - watch:
+    {%- if server.notification and server.message_queue.get('ssl',{}).get('enabled', False) %}
+    - file: rabbitmq_ca
+    {%- endif %}
     - file: /etc/keystone/keystone.conf
 {%- endif %}
 
@@ -214,7 +262,7 @@
   - name: keystone-manage db_sync && sleep 1
   - timeout: 120
   - require:
-    - service: keystone_service
+    - service: {{ keystone_service }}
 {%- endif %}
 
 {% if server.tokens.engine == 'fernet' %}
@@ -235,22 +283,32 @@
   cmd.run:
   - name: keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
   - require:
-    - service: keystone_service
+    - service: {{ keystone_service }}
     - file: keystone_fernet_keys
-
-{%- if server.version == 'newton' %}
-keystone_fernet_setup_credentials:
-  cmd.run:
-  - name: keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
-  - require:
-    - service: keystone_service
-    - cmd: keystone_fernet_setup
-    - file: keystone_fernet_keys
-{%- endif %}
 {%- endif %}
 
 {% endif %}
 
+{%- if server.version in ['newton', 'ocata'] %}
+keystone_credential_keys:
+  file.directory:
+  - name: {{ server.credential.location }}
+  - mode: 750
+  - user: keystone
+  - group: keystone
+  - require:
+    - pkg: keystone_packages
+
+{%- if not grains.get('noservices', False) %}
+keystone_credential_setup:
+  cmd.run:
+  - name: keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
+  - require:
+    - service: {{ keystone_service }}
+    - file: keystone_credential_keys
+{%- endif %}
+{%- endif %}
+
 {%- if not grains.get('noservices', False) %}
 
 {%- if not salt['pillar.get']('linux:system:repo:mirantis_openstack', False) %}
@@ -262,7 +320,6 @@
   - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
   - require:
     - cmd: keystone_syncdb
-    - file: keystone_salt_config
 
 keystone_admin_tenant:
   keystone.tenant_present:
@@ -320,7 +377,6 @@
   - connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
   - require:
     - keystone: keystone_{{ service_name }}_service
-    - file: keystone_salt_config
 
 {% if service.user is defined %}
 
@@ -377,4 +433,37 @@
 {%- endfor %}
 {%- endif %} {# end noservices #}
 
+{%- if server.database.get('ssl',{}).get('enabled',False)  %}
+mysql_ca:
+{%- if server.database.ssl.cacert is defined %}
+  file.managed:
+    - name: {{ server.database.ssl.cacert_file }}
+    - contents_pillar: keystone:server:database:ssl:cacert
+    - mode: 0444
+    - makedirs: true
+    - require_in:
+      - file: /etc/keystone/keystone.conf
+{%- else %}
+  file.exists:
+   - name: {{ server.database.ssl.get('cacert_file', system_cacerts_file) }}
+   - require_in:
+     - file: /etc/keystone/keystone.conf
+{% endif %}
+{% endif %}
+
+
+{%- if server.notification and server.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbitmq_ca:
+{%- if server.message_queue.ssl.cacert is defined %}
+  file.managed:
+    - name: {{ server.message_queue.ssl.cacert_file }}
+    - contents_pillar: keystone:server:message_queue:ssl:cacert
+    - mode: 0444
+    - makedirs: true
+{%- else %}
+  file.exists:
+   - name: {{ server.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
+{%- endif %}
+{%- endif %}
+
 {%- endif %}
diff --git a/metadata/service/server/cluster.yml b/metadata/service/server/cluster.yml
index 5038cf3..147bd34 100644
--- a/metadata/service/server/cluster.yml
+++ b/metadata/service/server/cluster.yml
@@ -30,6 +30,8 @@
         engine: cache
         expiration: 43200
         location: /etc/keystone/fernet-keys/
+      credential:
+        location: /etc/keystone/credential-keys/
       message_queue:
         engine: rabbitmq
         host: ${_param:cluster_vip_address}
diff --git a/metadata/service/server/single.yml b/metadata/service/server/single.yml
index 5269121..d131fd7 100644
--- a/metadata/service/server/single.yml
+++ b/metadata/service/server/single.yml
@@ -30,6 +30,8 @@
         engine: cache
         expiration: 43200
         location: /etc/keystone/fernet-keys/
+      credential:
+        location: /etc/keystone/credential-keys/
       message_queue:
         engine: rabbitmq
         host: ${_param:single_address}
diff --git a/metadata/service/support.yml b/metadata/service/support.yml
index 283ca7e..413387b 100644
--- a/metadata/service/support.yml
+++ b/metadata/service/support.yml
@@ -6,10 +6,14 @@
       heka:
         enabled: true
       sensu:
-        enabled: true
+        enabled: false
       sphinx:
         enabled: true
       config:
         enabled: true
       grafana:
         enabled: true
+      telegraf:
+        enabled: true
+      prometheus:
+        enabled: true
diff --git a/tests/pillar/cluster.sls b/tests/pillar/cluster.sls
index 898b6ae..c6d7cc6 100644
--- a/tests/pillar/cluster.sls
+++ b/tests/pillar/cluster.sls
@@ -44,3 +44,8 @@
         port: 11211
       - host: 127.0.0.1
         port: 11211
+    domain:
+      test:
+        description: "Test domain"
+        identity:
+          list_limit: 20
diff --git a/tests/pillar/single_domain.sls b/tests/pillar/single_domain.sls
new file mode 100644
index 0000000..be0272e
--- /dev/null
+++ b/tests/pillar/single_domain.sls
@@ -0,0 +1,72 @@
+keystone:
+# Server state
+  server:
+    enabled: true
+    version: liberty
+    service_token: RANDOMSTRINGTOKEN
+    service_tenant: service
+    admin_tenant: admin
+    admin_name: admin
+    admin_password: passw0rd
+    admin_email: root@localhost
+    bind:
+      address: 0.0.0.0
+      private_address: 127.0.0.1
+      private_port: 35357
+      public_address: 127.0.0.1
+      public_port: 5000
+    region: RegionOne
+    database:
+      engine: mysql
+      host: localhost
+      name: keystone
+      password: passw0rd
+      user: keystone
+    tokens:
+      engine: cache
+      expiration: 86400
+      location: /etc/keystone/fernet-keys/
+    notification: false
+    notification_format: cadf
+    domain:
+      testing:
+        description: "Testing domain"
+        backend: ldap
+        assignment:
+          backend: sql
+        ldap:
+          url: "ldaps://idm.domain.com"
+          suffix: "dc=cloud,dc=domain,dc=com"
+          uid: keystone
+          password: password
+# CI related dependencies
+mysql:
+  client:
+    enabled: true
+    version: '5.7'
+    admin:
+      host: localhost
+      port: 3306
+      user: admin
+      password: password
+      encoding: utf8
+  server:
+    enabled: true
+    version: "5.7"
+    force_encoding: utf8
+    bind:
+      address: 0.0.0.0
+      port: 3306
+      protocol: tcp
+    database:
+      keystone:
+        encoding: utf8
+        users:
+        - host: '%'
+          name: keystone
+          password: passw0rd
+          rights: all
+        - host: 127.0.0.1
+          name: keystone
+          password: passw0rd
+          rights: all
diff --git a/tests/pillar/ssl.sls b/tests/pillar/ssl.sls
new file mode 100644
index 0000000..f60e5ed
--- /dev/null
+++ b/tests/pillar/ssl.sls
@@ -0,0 +1,53 @@
+# Test case with enabled SSL of the following communication paths:
+# - messaging (rabbitmq)
+
+keystone:
+  server:
+    enabled: true
+    version: liberty
+    service_token: token
+    service_tenant: service
+    admin_tenant: admin
+    admin_name: admin
+    admin_password: passw0rd
+    admin_email: root@localhost
+    bind:
+      address: 0.0.0.0
+      private_address: 127.0.0.1
+      private_port: 35357
+      public_address: 127.0.0.1
+      public_port: 5000
+    region: RegionOne
+    database:
+      engine: mysql
+      host: 127.0.0.1
+      name: keystone
+      password: passw0rd
+      user: keystone
+      ssl:
+        enabled: True
+    tokens:
+      engine: cache
+      expiration: 86400
+      location: /etc/keystone/fernet-keys/
+    notification: true
+    notification_format: cadf
+    message_queue:
+      engine: rabbitmq
+      host: 127.0.0.1
+      port: 5671
+      user: openstack
+      password: passw0rd
+      virtual_host: '/openstack'
+      ha_queues: true
+      ssl:
+        enabled: True
+    cache:
+      engine: memcached
+      members:
+      - host: 127.0.0.1
+        port: 11211
+      - host: 127.0.0.1
+        port: 11211
+      - host: 127.0.0.1
+        port: 11211