Keystone can now act as a federated identity provider (IdP) for another instance of Keystone by issuing SAML assertions for local users, which may be ECP-wrapped.
Added support for OpenID Connect as a federated identity authentication mechanism.
Added the ability to associate many "Remote IDs" to a single identity provider in Keystone. This will help in a case where many identity providers use a common mapping.
Added the ability for a user to authenticate via a web browser with an existing IdP, through a Single Sign-On page.
Federated tokens now use the token authentication method, although both mapped and saml2 remain available.
Federated users may now be mapped to existing local identities.
Groups specified in the mapping rulesets can be identified by name and domain.
Groups appearing in federated identity assertions may now be automatically mapped as locally existing groups with local user membership mappings (filtered by white and blacklists).