diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py
index 88af10d3ea..47463215e3 100644
--- a/keystone/tests/unit/test_v3_auth.py
+++ b/keystone/tests/unit/test_v3_auth.py
@@ -1062,6 +1062,54 @@ class TokenAPITests(object):
                           self.token_provider_api.validate_token,
                           trust_scoped_token)
 
+    def test_trust_token_is_invalid_when_trustee_domain_disabled(self):
+        # create a new domain with new user in that domain
+        new_domain_ref = unit.new_domain_ref()
+        self.resource_api.create_domain(new_domain_ref['id'], new_domain_ref)
+
+        trustee_ref = unit.create_user(self.identity_api,
+                                       domain_id=new_domain_ref['id'])
+
+        new_project_ref = unit.new_project_ref(domain_id=self.domain_id)
+        self.resource_api.create_project(new_project_ref['id'],
+                                         new_project_ref)
+
+        # grant the trustor access to the new project
+        self.assignment_api.create_grant(
+            self.role['id'],
+            user_id=self.user_id,
+            project_id=new_project_ref['id'])
+
+        trust_ref = unit.new_trust_ref(trustor_user_id=self.user_id,
+                                       trustee_user_id=trustee_ref['id'],
+                                       expires=dict(minutes=1),
+                                       project_id=new_project_ref['id'],
+                                       impersonation=True,
+                                       role_ids=[self.role['id']])
+
+        resp = self.post('/OS-TRUST/trusts', body={'trust': trust_ref})
+        self.assertValidTrustResponse(resp, trust_ref)
+        trust_id = resp.json_body['trust']['id']
+
+        # get a project-scoped token using the trust
+        trust_auth_data = self.build_authentication_request(
+            user_id=trustee_ref['id'],
+            password=trustee_ref['password'],
+            trust_id=trust_id)
+        trust_scoped_token = self.get_requested_token(trust_auth_data)
+
+        # ensure the project-scoped token from the trust is valid
+        self._validate_token(trust_scoped_token)
+
+        disable_body = {'domain': {'enabled': False}}
+        self.patch(
+            '/domains/%(domain_id)s' % {'domain_id': new_domain_ref['id']},
+            body=disable_body)
+
+        # ensure the project-scoped token from the trust is invalid
+        self._validate_token(trust_scoped_token,
+                             expected_status=http_client.NOT_FOUND)
+
     def test_trust_scoped_token_invalid_after_changing_trustee_password(self):
         trustee_user, trust = self._create_trust()
         trust_scoped_token = self._get_trust_scoped_token(trustee_user, trust)
@@ -2431,6 +2479,55 @@ class TestFernetTokenAPIs(test_v3.RestfulTestCase, TokenAPITests,
         self.v3_create_token(auth_data,
                              expected_status=http_client.NOT_IMPLEMENTED)
 
+    # FIXME(lbragstad): Remove this test from this class and inherit the
+    # version in TokenAPITest once bug 1532280 is fixed.
+    def test_trust_token_is_invalid_when_trustee_domain_disabled(self):
+        # create a new domain with new user in that domain
+        new_domain_ref = unit.new_domain_ref()
+        self.resource_api.create_domain(new_domain_ref['id'], new_domain_ref)
+
+        trustee_ref = unit.create_user(self.identity_api,
+                                       domain_id=new_domain_ref['id'])
+
+        new_project_ref = unit.new_project_ref(domain_id=self.domain_id)
+        self.resource_api.create_project(new_project_ref['id'],
+                                         new_project_ref)
+
+        # grant the trustor access to the new project
+        self.assignment_api.create_grant(
+            self.role['id'],
+            user_id=self.user_id,
+            project_id=new_project_ref['id'])
+
+        trust_ref = unit.new_trust_ref(trustor_user_id=self.user_id,
+                                       trustee_user_id=trustee_ref['id'],
+                                       expires=dict(minutes=1),
+                                       project_id=new_project_ref['id'],
+                                       impersonation=True,
+                                       role_ids=[self.role['id']])
+
+        resp = self.post('/OS-TRUST/trusts', body={'trust': trust_ref})
+        self.assertValidTrustResponse(resp, trust_ref)
+        trust_id = resp.json_body['trust']['id']
+
+        # get a project-scoped token using the trust
+        trust_auth_data = self.build_authentication_request(
+            user_id=trustee_ref['id'],
+            password=trustee_ref['password'],
+            trust_id=trust_id)
+        trust_scoped_token = self.get_requested_token(trust_auth_data)
+
+        # ensure the project-scoped token from the trust is valid
+        self._validate_token(trust_scoped_token)
+
+        disable_body = {'domain': {'enabled': False}}
+        self.patch(
+            '/domains/%(domain_id)s' % {'domain_id': new_domain_ref['id']},
+            body=disable_body)
+
+        # this should return Not Found once bug 1532280 is fixed!
+        self._validate_token(trust_scoped_token)
+
 
 class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
     """Test token revoke using v3 Identity API by token owner and admin."""