diff --git a/devstack/files/federation/shib_apache_handler.txt b/devstack/files/federation/shib_apache_handler.txt
index ebf53ada65..e863cb62fb 100644
--- a/devstack/files/federation/shib_apache_handler.txt
+++ b/devstack/files/federation/shib_apache_handler.txt
@@ -14,3 +14,15 @@
         ShibRequireAll On
    </IfVersion>
 </Location>
+
+<Location /identity/v3/OS-FEDERATION/identity_providers/keystone/protocols/mapped/auth>
+    ShibRequestSetting requireSession 1
+    AuthType shibboleth
+    ShibExportAssertion Off
+    Require valid-user
+
+    <IfVersion < 2.4>
+        ShibRequireSession On
+        ShibRequireAll On
+   </IfVersion>
+</Location>
diff --git a/devstack/files/federation/shibboleth2.xml b/devstack/files/federation/shibboleth2.xml
index 65b8667a5c..cecb50b5e6 100644
--- a/devstack/files/federation/shibboleth2.xml
+++ b/devstack/files/federation/shibboleth2.xml
@@ -19,9 +19,8 @@ https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration
         <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions -->
         <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
 
-            <!-- Triggers a login request directly to the TestShib IdP. -->
-            <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO -->
-            <SSO entityID="%IDP_REMOTE_ID%" ECP="true">
+            <!-- Without a Discovery Protocol this really only supports ECP. -->
+            <SSO ECP="true">
                 SAML2 SAML1
             </SSO>
 
@@ -53,9 +52,9 @@ https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration
         <Errors supportContact="root@localhost" logoLocation="/shibboleth-sp/logo.jpg"
                 styleSheet="/shibboleth-sp/main.css"/>
 
-        <!-- Loads and trusts a metadata file that describes only the Testshib IdP and how to communicate with it. -->
-        <MetadataProvider type="XML" uri="%IDP_METADATA_URL%"
-                          backingFilePath="metadata.xml" reloadInterval="180000" />
+        <!-- Loads and trusts a metadata files that describe the IdPs and how to communicate with them. -->
+        <MetadataProvider type="XML" uri="%IDP_METADATA_URL%" />
+        <MetadataProvider type="XML" uri="%KEYSTONE_METADATA_URL%" />
 
         <!-- Attribute and trust options you shouldn't need to change. -->
         <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
diff --git a/devstack/lib/federation.sh b/devstack/lib/federation.sh
index eec204ba8d..7497859be9 100644
--- a/devstack/lib/federation.sh
+++ b/devstack/lib/federation.sh
@@ -23,6 +23,8 @@ IDP_REMOTE_ID=${IDP_REMOTE_ID:-https://samltest.id/saml/idp}
 IDP_ECP_URL=${IDP_ECP_URL:-https://samltest.id/idp/profile/SAML2/SOAP/ECP}
 IDP_METADATA_URL=${IDP_METADATA_URL:-https://samltest.id/saml/idp}
 
+KEYSTONE_IDP_METADATA_URL=${KEYSTONE_IDP_METADATA_URL:-"http://$HOST_IP/identity/v3/OS-FEDERATION/saml2/metadata"}
+
 MAPPING_REMOTE_TYPE=${MAPPING_REMOTE_TYPE:-uid}
 MAPPING_USER_NAME=${MAPPING_USER_NAME:-"{0}"}
 
@@ -57,9 +59,24 @@ function configure_apache {
     restart_apache_server
 }
 
+function configure_shibboleth {
+    # Copy a templated /etc/shibboleth/shibboleth2.xml file...
+    sudo cp $FEDERATION_FILES/shibboleth2.xml $SHIBBOLETH_XML
+    # ... and replace the %HOST_IP%, %IDP_REMOTE_ID%,and %IDP_METADATA_URL% placeholders
+    sudo sed -i -e "
+        s|%HOST_IP%|$HOST_IP|g;
+        s|%IDP_METADATA_URL%|$IDP_METADATA_URL|g;
+        s|%KEYSTONE_METADATA_URL%|$KEYSTONE_IDP_METADATA_URL|g;
+        " $SHIBBOLETH_XML
+
+    sudo cp "$FEDERATION_FILES/attribute-map.xml" $ATTRIBUTE_MAP
+
+    restart_service shibd
+}
+
 function install_federation {
     if is_ubuntu; then
-        install_package libapache2-mod-shib2
+        install_package libapache2-mod-shib2 xmlsec1
 
         # Create a new keypair for Shibboleth
         sudo shib-keygen -f
@@ -75,7 +92,7 @@ function install_federation {
         | sudo tee /etc/yum.repos.d/shibboleth.repo >/dev/null
 
         # Install Shibboleth
-        install_package shibboleth
+        install_package shibboleth xmlsec1-openssl
 
         # Create a new keypair for Shibboleth
         sudo /etc/shibboleth/keygen.sh -f -o /etc/shibboleth
@@ -94,6 +111,8 @@ function install_federation {
     else
         echo "Skipping installation of shibboleth for non ubuntu nor fedora nor suse host"
     fi
+
+    pip_install pysaml2
 }
 
 function upload_sp_metadata_to_samltest {
@@ -110,32 +129,35 @@ function upload_sp_metadata_to_samltest {
 }
 
 function configure_federation {
-    configure_apache
-
-    # Copy a templated /etc/shibboleth/shibboleth2.xml file...
-    sudo cp $FEDERATION_FILES/shibboleth2.xml $SHIBBOLETH_XML
-    # ... and replace the %HOST_IP%, %IDP_REMOTE_ID%,and %IDP_METADATA_URL% placeholders
-    sudo sed -i -e "
-        s|%HOST_IP%|$HOST_IP|g;
-        s|%IDP_REMOTE_ID%|$IDP_REMOTE_ID|g;
-        s|%IDP_METADATA_URL%|$IDP_METADATA_URL|g;
-        " $SHIBBOLETH_XML
-
-    sudo cp "$FEDERATION_FILES/attribute-map.xml" $ATTRIBUTE_MAP
-
-    restart_service shibd
-
-    # Enable the mapped auth method in /etc/keystone.conf
-    iniset $KEYSTONE_CONF auth methods "external,password,token,mapped"
-
     # Specify the header that contains information about the identity provider
     iniset $KEYSTONE_CONF mapped remote_id_attribute "Shib-Identity-Provider"
 
+    # Configure certificates and keys for Keystone as an IdP
+    if is_service_enabled tls-proxy; then
+        iniset $KEYSTONE_CONF saml certfile "$INT_CA_DIR/$DEVSTACK_CERT_NAME.crt"
+        iniset $KEYSTONE_CONF saml keyfile "$INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key"
+    else
+        openssl genrsa -out /etc/keystone/ca.key 4096
+        openssl req -new -x509 -days 1826 -key /etc/keystone/ca.key -out /etc/keystone/ca.crt \
+            -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com"
+
+
+        iniset $KEYSTONE_CONF saml certfile "/etc/keystone/ca.crt"
+        iniset $KEYSTONE_CONF saml keyfile "/etc/keystone/ca.key"
+    fi
+
+    iniset $KEYSTONE_CONF saml idp_entity_id "$KEYSTONE_AUTH_URI/v3/OS-FEDERATION/saml2/idp"
+    iniset $KEYSTONE_CONF saml idp_sso_endpoint "$KEYSTONE_AUTH_URI/v3/OS-FEDERATION/saml2/sso"
+    iniset $KEYSTONE_CONF saml idp_metadata_path "/etc/keystone/keystone_idp_metadata.xml"
+
     if [[ "$WSGI_MODE" == "uwsgi" ]]; then
         restart_service "devstack@keystone"
     fi
 
-    restart_apache_server
+    keystone-manage saml_idp_metadata > /etc/keystone/keystone_idp_metadata.xml
+
+    configure_shibboleth
+    configure_apache
 
     # TODO(knikolla): We should not be relying on an external service. This
     # will be removed once we have an idp deployed during devstack install.
@@ -155,6 +177,9 @@ function register_federation {
 }
 
 function configure_tests_settings {
+    # Enable the mapped auth method in /etc/keystone.conf
+    iniset $KEYSTONE_CONF auth methods "external,password,token,mapped"
+
     # Here we set any settings that might be need by the fed_scenario set of tests
     iniset $TEMPEST_CONFIG identity-feature-enabled federation True