diff --git a/README.rst b/README.rst
index 257037d..10d0a0c 100644
--- a/README.rst
+++ b/README.rst
@@ -333,7 +333,7 @@
         - password
         - token
         - saml2
-        websso:
+        federation:
           protocol: saml2
           remote_id_attribute: Shib-Identity-Provider
           federation_driver: keystone.contrib.federation.backends.sql.Federation
diff --git a/keystone/files/liberty/keystone.conf.Debian b/keystone/files/liberty/keystone.conf.Debian
index 05d0493..8f8fcc2 100644
--- a/keystone/files/liberty/keystone.conf.Debian
+++ b/keystone/files/liberty/keystone.conf.Debian
@@ -309,8 +309,8 @@
 {% if server.auth_methods is defined %}
 methods = {{ server.auth_methods |join(',') }}
 {%- endif %}
-{% if server.websso is defined %}
-{{ server.websso.protocol }} = keystone.auth.plugins.mapped.Mapped
+{% if server.federation is defined %}
+{{ server.federation.protocol }} = keystone.auth.plugins.mapped.Mapped
 {%- endif %}
 
 # Entrypoint for the password auth plugin module in the keystone.auth.password
@@ -330,9 +330,9 @@
 # namespace. (string value)
 #oauth1 = <None>
 
-{% if server.websso is defined %}
-[{{ server.websso.protocol }}]
-remote_id_attribute = {{ server.websso.remote_id_attribute }}
+{% if server.federation is defined %}
+[{{ server.federation.protocol }}]
+remote_id_attribute = {{ server.federation.remote_id_attribute }}
 {%- endif %}
 
 [cache]
@@ -796,8 +796,8 @@
 # Entrypoint for the federation backend driver in the keystone.federation
 # namespace. (string value)
 #driver = sql
-{% if server.websso is defined %}
-driver = {{ server.websso.federation_driver }}
+{% if server.federation is defined %}
+driver = {{ server.federation.federation_driver }}
 {%- endif %}
 
 # Value to be used when filtering assertion parameters from the environment.
@@ -821,9 +821,9 @@
 # example: trusted_dashboard=http://acme.com trusted_dashboard=http://beta.com
 # (multi valued)
 #trusted_dashboard =
-{%- if server.websso is defined %}
-{%- if server.websso.trusted_dashboard is defined %}
-{%- for dashboard in server.websso.trusted_dashboard %}
+{%- if server.federation is defined %}
+{%- if server.federation.trusted_dashboard is defined %}
+{%- for dashboard in server.federation.trusted_dashboard %}
 trusted_dashboard = {{ dashboard }}
 {%- endfor %}
 {%- endif %}
diff --git a/keystone/files/liberty/wsgi-keystone.conf b/keystone/files/liberty/wsgi-keystone.conf
index beaf74b..51f19d0 100644
--- a/keystone/files/liberty/wsgi-keystone.conf
+++ b/keystone/files/liberty/wsgi-keystone.conf
@@ -20,7 +20,7 @@
       Require all granted
     </Directory>
 
-    {% if server.websso is defined %}
+    {% if server.federation is defined %}
     WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-public/$1
     <Location /Shibboleth.sso>
       SetHandler shib
@@ -64,7 +64,7 @@
       Require all granted
     </Directory>
 
-    {% if server.websso is defined %}
+    {% if server.federation is defined %}
     WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-admin/$1
     <Location /Shibboleth.sso>
       SetHandler shib
diff --git a/keystone/files/mitaka/keystone.conf.Debian b/keystone/files/mitaka/keystone.conf.Debian
index 28991a4..1267de1 100644
--- a/keystone/files/mitaka/keystone.conf.Debian
+++ b/keystone/files/mitaka/keystone.conf.Debian
@@ -357,8 +357,8 @@
 {% if server.auth_methods is defined %}
 methods = {{ server.auth_methods |join(',') }}
 {%- endif %}
-{% if server.websso is defined %}
-{{ server.websso.protocol }} = keystone.auth.plugins.mapped.Mapped
+{% if server.federation is defined %}
+{{ server.federation.protocol }} = keystone.auth.plugins.mapped.Mapped
 {%- endif %}
 
 # Entrypoint for the password auth plugin module in the keystone.auth.password
@@ -858,8 +858,8 @@
 # Entrypoint for the federation backend driver in the keystone.federation
 # namespace. (string value)
 #driver = sql
-{%- if server.get('websso', {}).federation_driver is defined %}
-driver = {{ server.websso.federation_driver }}
+{%- if server.get('federation', {}).federation_driver is defined %}
+driver = {{ server.federation.federation_driver }}
 {%- endif %}
 
 # Value to be used when filtering assertion parameters from the environment.
@@ -870,8 +870,8 @@
 # environment (e.g. if using the mod_shib plugin this value is `Shib-Identity-
 # Provider`). (string value)
 #remote_id_attribute = <None>
-{%- if server.websso is defined %}
-remote_id_attribute = {{ server.websso.remote_id_attribute }}
+{%- if server.federation is defined %}
+remote_id_attribute = {{ server.federation.remote_id_attribute }}
 {%- endif %}
 
 # A domain name that is reserved to allow federated ephemeral users to have a
@@ -879,8 +879,8 @@
 # this name or update an existing domain to this name. You are not advised to
 # change this value unless you really have to. (string value)
 #federated_domain_name = Federated
-{%- if server.get('websso', {}).federated_domain_name is defined %}
-federated_domain_name = {{ server.websso.federated_domain_name }}
+{%- if server.get('federation', {}).federated_domain_name is defined %}
+federated_domain_name = {{ server.federation.federated_domain_name }}
 {%- endif %}
 
 # A list of trusted dashboard hosts. Before accepting a Single Sign-On request
@@ -889,8 +889,8 @@
 # example: trusted_dashboard=http://acme.com/auth/websso
 # trusted_dashboard=http://beta.com/auth/websso (multi valued)
 #trusted_dashboard =
-{%- if server.get('websso', {}).trusted_dashboard is defined %}
-{%- for dashboard in server.websso.trusted_dashboard %}
+{%- if server.get('federation', {}).trusted_dashboard is defined %}
+{%- for dashboard in server.federation.trusted_dashboard %}
 trusted_dashboard = {{ dashboard }}
 {%- endfor %}
 {%- endif %}
diff --git a/keystone/files/mitaka/wsgi-keystone.conf b/keystone/files/mitaka/wsgi-keystone.conf
index 763672d..aff6ff3 100644
--- a/keystone/files/mitaka/wsgi-keystone.conf
+++ b/keystone/files/mitaka/wsgi-keystone.conf
@@ -29,9 +29,9 @@
         </IfVersion>
     </Directory>
 
-    {% if server.websso is defined %}
-    {% if server.websso.shib_url_scheme is defined %}
-    ShibURLScheme {{ server.websso.shib_url_scheme }}
+    {% if server.federation is defined %}
+    {% if server.federation.shib_url_scheme is defined %}
+    ShibURLScheme {{ server.federation.shib_url_scheme }}
     {%- endif %}
     WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-public/$1
     <Location /Shibboleth.sso>
@@ -85,9 +85,9 @@
         </IfVersion>
     </Directory>
 
-    {% if server.websso is defined %}
-    {% if server.websso.shib_url_scheme is defined %}
-    ShibURLScheme {{ server.websso.shib_url_scheme }}
+    {% if server.federation is defined %}
+    {% if server.federation.shib_url_scheme is defined %}
+    ShibURLScheme {{ server.federation.shib_url_scheme }}
     {%- endif %}
     WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-admin/$1
     <Location /Shibboleth.sso>
diff --git a/keystone/files/newton/keystone.conf.Debian b/keystone/files/newton/keystone.conf.Debian
index 6add60c..dfccfbf 100644
--- a/keystone/files/newton/keystone.conf.Debian
+++ b/keystone/files/newton/keystone.conf.Debian
@@ -417,8 +417,8 @@
 {% if server.auth_methods is defined %}
 methods = {{ server.auth_methods |join(',') }}
 {%- endif %}
-{% if server.websso is defined %}
-{{ server.websso.protocol }} = keystone.auth.plugins.mapped.Mapped
+{% if server.federation is defined %}
+{{ server.federation.protocol }} = keystone.auth.plugins.mapped.Mapped
 {%- endif %}
 
 # Entry point for the password auth plugin module in the
@@ -913,8 +913,8 @@
 # namespace. Keystone only provides a `sql` driver, so there is no reason to
 # set this option unless you are providing a custom entry point. (string value)
 #driver = sql
-{%- if server.get('websso', {}).federation_driver is defined %}
-driver = {{ server.websso.federation_driver }}
+{%- if server.get('federation', {}).federation_driver is defined %}
+driver = {{ server.federation.federation_driver }}
 {%- endif %}
 
 # Prefix to use when filtering environment variable names for federated
@@ -927,8 +927,8 @@
 # `mod_auth_openidc`, this could be `HTTP_OIDC_ISS`. For `mod_auth_mellon`,
 # this could be `MELLON_IDP`. (string value)
 #remote_id_attribute = <None>
-{%- if server.websso is defined %}
-remote_id_attribute = {{ server.websso.remote_id_attribute }}
+{%- if server.federation is defined %}
+remote_id_attribute = {{ server.federation.remote_id_attribute }}
 {%- endif %}
 
 # An arbitrary domain name that is reserved to allow federated ephemeral users
@@ -936,8 +936,8 @@
 # domain with this name or update an existing domain to this name. You are not
 # advised to change this value unless you really have to. (string value)
 #federated_domain_name = Federated
-{%- if server.get('websso', {}).federated_domain_name is defined %}
-federated_domain_name = {{ server.websso.federated_domain_name }}
+{%- if server.get('federation', {}).federated_domain_name is defined %}
+federated_domain_name = {{ server.federation.federated_domain_name }}
 {%- endif %}
 
 # A list of trusted dashboard hosts. Before accepting a Single Sign-On request
@@ -947,8 +947,8 @@
 # trusted_dashboard=https://acme.example.com/auth/websso
 # trusted_dashboard=https://beta.example.com/auth/websso (multi valued)
 #trusted_dashboard =
-{%- if server.get('websso', {}).trusted_dashboard is defined %}
-{%- for dashboard in server.websso.trusted_dashboard %}
+{%- if server.get('federation', {}).trusted_dashboard is defined %}
+{%- for dashboard in server.federation.trusted_dashboard %}
 trusted_dashboard = {{ dashboard }}
 {%- endfor %}
 {%- endif %}
diff --git a/keystone/files/newton/wsgi-keystone.conf b/keystone/files/newton/wsgi-keystone.conf
index 763672d..aff6ff3 100644
--- a/keystone/files/newton/wsgi-keystone.conf
+++ b/keystone/files/newton/wsgi-keystone.conf
@@ -29,9 +29,9 @@
         </IfVersion>
     </Directory>
 
-    {% if server.websso is defined %}
-    {% if server.websso.shib_url_scheme is defined %}
-    ShibURLScheme {{ server.websso.shib_url_scheme }}
+    {% if server.federation is defined %}
+    {% if server.federation.shib_url_scheme is defined %}
+    ShibURLScheme {{ server.federation.shib_url_scheme }}
     {%- endif %}
     WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-public/$1
     <Location /Shibboleth.sso>
@@ -85,9 +85,9 @@
         </IfVersion>
     </Directory>
 
-    {% if server.websso is defined %}
-    {% if server.websso.shib_url_scheme is defined %}
-    ShibURLScheme {{ server.websso.shib_url_scheme }}
+    {% if server.federation is defined %}
+    {% if server.federation.shib_url_scheme is defined %}
+    ShibURLScheme {{ server.federation.shib_url_scheme }}
     {%- endif %}
     WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-admin/$1
     <Location /Shibboleth.sso>
diff --git a/keystone/files/ocata/keystone.conf.Debian b/keystone/files/ocata/keystone.conf.Debian
index aa442f2..f5c5a12 100644
--- a/keystone/files/ocata/keystone.conf.Debian
+++ b/keystone/files/ocata/keystone.conf.Debian
@@ -484,8 +484,8 @@
 {% if server.auth_methods is defined %}
 methods = {{ server.auth_methods |join(',') }}
 {%- endif %}
-{% if server.websso is defined %}
-{{ server.websso.protocol }} = keystone.auth.plugins.mapped.Mapped
+{% if server.federation is defined %}
+{{ server.federation.protocol }} = keystone.auth.plugins.mapped.Mapped
 {%- endif %}
 
 # Entry point for the password auth plugin module in the
@@ -985,8 +985,8 @@
 # namespace. Keystone only provides a `sql` driver, so there is no reason to
 # set this option unless you are providing a custom entry point. (string value)
 #driver = sql
-{%- if server.get('websso', {}).federation_driver is defined %}
-driver = {{ server.websso.federation_driver }}
+{%- if server.get('federation', {}).federation_driver is defined %}
+driver = {{ server.federation.federation_driver }}
 {%- endif %}
 
 # Prefix to use when filtering environment variable names for federated
@@ -999,8 +999,8 @@
 # `mod_auth_openidc`, this could be `HTTP_OIDC_ISS`. For `mod_auth_mellon`,
 # this could be `MELLON_IDP`. (string value)
 #remote_id_attribute = <None>
-{%- if server.websso is defined %}
-remote_id_attribute = {{ server.websso.remote_id_attribute }}
+{%- if server.federation is defined %}
+remote_id_attribute = {{ server.federation.remote_id_attribute }}
 {%- endif %}
 
 # An arbitrary domain name that is reserved to allow federated ephemeral users
@@ -1008,8 +1008,8 @@
 # domain with this name or update an existing domain to this name. You are not
 # advised to change this value unless you really have to. (string value)
 #federated_domain_name = Federated
-{%- if server.get('websso', {}).federated_domain_name is defined %}
-federated_domain_name = {{ server.websso.federated_domain_name }}
+{%- if server.get('federation', {}).federated_domain_name is defined %}
+federated_domain_name = {{ server.federation.federated_domain_name }}
 {%- endif %}
 
 # A list of trusted dashboard hosts. Before accepting a Single Sign-On request
@@ -1019,8 +1019,8 @@
 # trusted_dashboard=https://acme.example.com/auth/websso
 # trusted_dashboard=https://beta.example.com/auth/websso (multi valued)
 #trusted_dashboard =
-{%- if server.get('websso', {}).trusted_dashboard is defined %}
-{%- for dashboard in server.websso.trusted_dashboard %}
+{%- if server.get('federation', {}).trusted_dashboard is defined %}
+{%- for dashboard in server.federation.trusted_dashboard %}
 trusted_dashboard = {{ dashboard }}
 {%- endfor %}
 {%- endif %}
diff --git a/keystone/files/ocata/keystone.conf.RedHat b/keystone/files/ocata/keystone.conf.RedHat
index dd9a7c9..663854e 100644
--- a/keystone/files/ocata/keystone.conf.RedHat
+++ b/keystone/files/ocata/keystone.conf.RedHat
@@ -481,9 +481,9 @@
 # are being invoked to validate attributes in the request environment, it can
 # cause conflicts. (list value)
 #methods = external,password,token,oauth1,mapped
-{% if server.websso is defined %}
-methods = external,password,token,{{ server.websso.protocol }}
-{{ server.websso.protocol }} = keystone.auth.plugins.mapped.Mapped
+{% if server.federation is defined %}
+methods = external,password,token,{{ server.federation.protocol }}
+{{ server.federation.protocol }} = keystone.auth.plugins.mapped.Mapped
 {%- endif %}
 
 # Entry point for the password auth plugin module in the
@@ -964,8 +964,8 @@
 # namespace. Keystone only provides a `sql` driver, so there is no reason to
 # set this option unless you are providing a custom entry point. (string value)
 #driver = sql
-{%- if server.get('websso', {}).federation_driver is defined %}
-driver = {{ server.websso.federation_driver }}
+{%- if server.get('federation', {}).federation_driver is defined %}
+driver = {{ server.federation.federation_driver }}
 {%- endif %}
 
 # Prefix to use when filtering environment variable names for federated
@@ -978,8 +978,8 @@
 # `mod_auth_openidc`, this could be `HTTP_OIDC_ISS`. For `mod_auth_mellon`,
 # this could be `MELLON_IDP`. (string value)
 #remote_id_attribute = <None>
-{%- if server.websso is defined %}
-remote_id_attribute = {{ server.websso.remote_id_attribute }}
+{%- if server.federation is defined %}
+remote_id_attribute = {{ server.federation.remote_id_attribute }}
 {%- endif %}
 
 # An arbitrary domain name that is reserved to allow federated ephemeral users
@@ -987,8 +987,8 @@
 # domain with this name or update an existing domain to this name. You are not
 # advised to change this value unless you really have to. (string value)
 #federated_domain_name = Federated
-{%- if server.get('websso', {}).federated_domain_name is defined %}
-federated_domain_name = {{ server.websso.federated_domain_name }}
+{%- if server.get('federation', {}).federated_domain_name is defined %}
+federated_domain_name = {{ server.federation.federated_domain_name }}
 {%- endif %}
 
 # A list of trusted dashboard hosts. Before accepting a Single Sign-On request
@@ -998,8 +998,8 @@
 # trusted_dashboard=https://acme.example.com/auth/websso
 # trusted_dashboard=https://beta.example.com/auth/websso (multi valued)
 #trusted_dashboard =
-{%- if server.get('websso', {}).trusted_dashboard is defined %}
-{%- for dashboard in server.websso.trusted_dashboard %}
+{%- if server.get('federation', {}).trusted_dashboard is defined %}
+{%- for dashboard in server.federation.trusted_dashboard %}
 trusted_dashboard = {{ dashboard }}
 {%- endfor %}
 {%- endif %}
diff --git a/keystone/files/ocata/wsgi-keystone.conf b/keystone/files/ocata/wsgi-keystone.conf
index 763672d..aff6ff3 100644
--- a/keystone/files/ocata/wsgi-keystone.conf
+++ b/keystone/files/ocata/wsgi-keystone.conf
@@ -29,9 +29,9 @@
         </IfVersion>
     </Directory>
 
-    {% if server.websso is defined %}
-    {% if server.websso.shib_url_scheme is defined %}
-    ShibURLScheme {{ server.websso.shib_url_scheme }}
+    {% if server.federation is defined %}
+    {% if server.federation.shib_url_scheme is defined %}
+    ShibURLScheme {{ server.federation.shib_url_scheme }}
     {%- endif %}
     WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-public/$1
     <Location /Shibboleth.sso>
@@ -85,9 +85,9 @@
         </IfVersion>
     </Directory>
 
-    {% if server.websso is defined %}
-    {% if server.websso.shib_url_scheme is defined %}
-    ShibURLScheme {{ server.websso.shib_url_scheme }}
+    {% if server.federation is defined %}
+    {% if server.federation.shib_url_scheme is defined %}
+    ShibURLScheme {{ server.federation.shib_url_scheme }}
     {%- endif %}
     WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-admin/$1
     <Location /Shibboleth.sso>
diff --git a/keystone/server.sls b/keystone/server.sls
index 4e0c12d..05d10c0 100644
--- a/keystone/server.sls
+++ b/keystone/server.sls
@@ -65,7 +65,7 @@
     - service: keystone_service
   {%- endif %}
 
-{% if server.websso is defined %}
+{% if server.federation is defined %}
 
 /etc/keystone/sso_callback_template.html:
   file.managed: