Keystone is the central authentication and authorization point for OpenStack. It already handles managing users via LDAP and SQL, however, as OpenStack and the number of possible identity sources grows, Keystone is evolving to rely primarily on external sources of identity using protocols like SAML. Keystone’s role then becomes one of pure authorization and mapping those identities into an OpenStack context. For the unfamiliar, we’ll start with a quick recap of the role of Keystone and the permission models of OpenStack, then look at the challenges of handling many distinct authentication sources and the in-development changes required for federated identity providers.