Keystone is the identity service that provides identity, token, catalog, and policy services for use by services in the OpenStack family. Federated identity is the method used to establish trusts between identity providers and the services provided by an OpenStack Cloud.

VMware Integrated OpenStack supports three types of federated identity: Keystone federation, SAML2 federation, and vRealize Automation or VMware Identity Manager federation.

The following terms are commonly used when configuring federated identity.

Identity Provider (IdP)

Stores information about users and groups. The IdP provides authentication.

Service Provider (SP)

Provides a service to an end-user. The SP has protected resources.


Actor or browser that wants to access protected resources.

SAML assertion

Contains information about a user as provided by an IdP.