diff --git a/devstack/files/federation/attribute-map.xml b/devstack/files/federation/attribute-map.xml
new file mode 100644
index 0000000000..e651bdb43b
--- /dev/null
+++ b/devstack/files/federation/attribute-map.xml
@@ -0,0 +1,66 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!--
+    The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth
+    community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a
+    few exceptions for newer attributes where the name is the same for both versions. You will
+    usually want to uncomment or map the names for both SAML versions as a unit.
+    -->
+
+    <Attribute id="openstack_project" name="openstack_project"/>
+    <Attribute id="openstack_project_domain" name="openstack_project_domain"/>
+    <Attribute id="openstack_roles" name="openstack_roles"/>
+    <Attribute id="openstack_user" name="openstack_user"/>
+    <Attribute id="openstack_user_domain" name="openstack_user_domain"/>
+
+    <!-- First some useful eduPerson attributes that many sites might use. -->
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
+
+    <!-- A persistent id attribute that supports personalized anonymous access. -->
+
+    <!-- First, the deprecated/incorrect version, decoded as a scoped string: -->
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+        <!-- <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> -->
+    </Attribute>
+
+    <!-- Second, an alternate decoder that will decode the incorrect form into the newer form. -->
+    <!--
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+    -->
+
+    <!-- Third, the new version (note the OID-style name): -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+    <!-- Fourth, the SAML 2.0 NameID Format: -->
+    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+</Attributes>
diff --git a/devstack/files/federation/shibboleth2.xml b/devstack/files/federation/shibboleth2.xml
index fc5138cd8c..65b8667a5c 100644
--- a/devstack/files/federation/shibboleth2.xml
+++ b/devstack/files/federation/shibboleth2.xml
@@ -21,7 +21,7 @@ https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration
 
             <!-- Triggers a login request directly to the TestShib IdP. -->
             <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO -->
-            <SSO entityID="https://idp.testshib.org/idp/shibboleth" ECP="true">
+            <SSO entityID="%IDP_REMOTE_ID%" ECP="true">
                 SAML2 SAML1
             </SSO>
 
@@ -54,8 +54,8 @@ https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration
                 styleSheet="/shibboleth-sp/main.css"/>
 
         <!-- Loads and trusts a metadata file that describes only the Testshib IdP and how to communicate with it. -->
-        <MetadataProvider type="XML" uri="http://www.testshib.org/metadata/testshib-providers.xml"
-             backingFilePath="testshib-two-idp-metadata.xml" reloadInterval="180000" />
+        <MetadataProvider type="XML" uri="%IDP_METADATA_URL%"
+                          backingFilePath="metadata.xml" reloadInterval="180000" />
 
         <!-- Attribute and trust options you shouldn't need to change. -->
         <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
diff --git a/devstack/lib/federation.sh b/devstack/lib/federation.sh
index 0c0db5bafc..62f8e02643 100644
--- a/devstack/lib/federation.sh
+++ b/devstack/lib/federation.sh
@@ -22,12 +22,18 @@ IDP_USERNAME=${IDP_USERNAME:-myself}
 IDP_PASSWORD=${IDP_PASSWORD:-myself}
 IDP_REMOTE_ID=${IDP_REMOTE_ID:-https://idp.testshib.org/idp/shibboleth}
 IDP_ECP_URL=${IDP_ECP_URL:-https://idp.testshib.org/idp/profile/SAML2/SOAP/ECP}
+IDP_METADATA_URL=${IDP_METADATA_URL:-http://www.testshib.org/metadata/testshib-providers.xml}
 
 MAPPING_REMOTE_TYPE=${MAPPING_REMOTE_TYPE:-eppn}
 MAPPING_USER_NAME=${MAPPING_USER_NAME:-"{0}"}
 
 PROTOCOL_ID=${PROTOCOL_ID:-mapped}
 
+# File paths
+FEDERATION_FILES="$KEYSTONE_PLUGIN/files/federation"
+SHIBBOLETH_XML="/etc/shibboleth/shibboleth2.xml"
+ATTRIBUTE_MAP="/etc/shibboleth/attribute-map.xml"
+
 function configure_apache {
     if [[ "$WSGI_MODE" == "uwsgi" ]]; then
         local keystone_apache_conf=$(apache_site_config_for keystone-wsgi-public)
@@ -83,9 +89,15 @@ function configure_federation {
     configure_apache
 
     # Copy a templated /etc/shibboleth/shibboleth2.xml file...
-    sudo cp $KEYSTONE_PLUGIN/files/federation/shibboleth2.xml /etc/shibboleth/shibboleth2.xml
-    # ... and replace the %HOST_IP% placeholder with the host ip
-    sudo sed -i -e "s|%HOST_IP%|$HOST_IP|g;" /etc/shibboleth/shibboleth2.xml
+    sudo cp $FEDERATION_FILES/shibboleth2.xml $SHIBBOLETH_XML
+    # ... and replace the %HOST_IP%, %IDP_REMOTE_ID%,and %IDP_METADATA_URL% placeholders
+    sudo sed -i -e "
+        s|%HOST_IP%|$HOST_IP|g;
+        s|%IDP_REMOTE_ID%|$IDP_REMOTE_ID|g;
+        s|%IDP_METADATA_URL%|$IDP_METADATA_URL|g;
+        " $SHIBBOLETH_XML
+
+    sudo cp "$FEDERATION_FILES/attribute-map.xml" $ATTRIBUTE_MAP
 
     restart_service shibd