Translations:ReleaseNotes/Juno/66/en


 * Keystone now has experimental support for Keystone-to-Keystone federation, where one instance acts as an Identity Provider, and the other a Service Provider.
 * PKIZ is a new token provider available for users of PKI tokens, which simply adds zlib-based compression to traditional PKI tokens.
 * The hashing algorithm used for PKI tokens has been made configurable (the default is still MD5, but the Keystone team recommends that deployments migrate to SHA256).
 * Identity-driver-configuration-per-domain now supports Internet domain names of arbitrary hierarchical complexity (for example, ).
 * The LDAP identity backend now supports  as an attribute of users.
 * Identity API v3 requests are now validated via JSON Schema.
 * In the case of multiple identity backends, Keystone can now map arbitrary resource IDs to arbitrary backends.
 * has been moved into it's own repository,.
 * Identity API v3 now supports a discrete call to retrieve a service catalog,.
 * Federated authentication events and local role assignment operations now result in CADF (audit) notifications.
 * Keystone can now associate a given policy blob with one or more endpoints.
 * Keystone now provides JSON Home documents on the root API endpoints in response to  headers.
 * Hiding endpoints from client's service catalogs is now more easily manageable via.
 * The credentials collection API is now filterable per associated user.
 * New, generic API endpoints are available for retrieving authentication-related data, such as a service catalog, available project scopes, and available domain scopes.
 * Keystone now supports mapping the user  attribute to the   attribute in LDAP (and inverting the corresponding boolean value accordingly).
 * A CA certificate file is now configurable for LDAPS connections.
 * The templated catalog backend now supports generating service catalogs for Identity API v3.
 * Service names were added to the v3 service catalog.
 * Services can now be filtered by name.