Translations:ReleaseNotes/Kilo/63/en


 * Keystone can now act as a federated identity provider (IdP) for another instance of Keystone by issuing SAML assertions for local users, which may be ECP-wrapped.
 * Added support for OpenID Connect as a federated identity authentication mechanism.
 * Added the ability to associate many "Remote IDs" to a single identity provider in Keystone. This will help in a case where many identity providers use a common mapping.
 * Added the ability for a user to authenticate via a web browser with an existing IdP, through a Single Sign-On page.
 * Federated tokens now use the  authentication method, although both   and   remain available.
 * Federated users may now be mapped to existing local identities.
 * Groups specified in the mapping rulesets can be identified by name and domain.
 * Groups appearing in federated identity assertions may now be automatically mapped as locally existing groups with local user membership mappings (filtered by white and blacklists).