diff --git a/doc/install-guide-rst/source/keystone-install.rst b/doc/install-guide-rst/source/keystone-install.rst
new file mode 100644
index 0000000000..f12ea0b3e4
--- /dev/null
+++ b/doc/install-guide-rst/source/keystone-install.rst
@@ -0,0 +1,3 @@
+=====================
+Install and configure
+=====================
diff --git a/doc/install-guide-rst/source/keystone-openrc.rst b/doc/install-guide-rst/source/keystone-openrc.rst
new file mode 100644
index 0000000000..365a312cd7
--- /dev/null
+++ b/doc/install-guide-rst/source/keystone-openrc.rst
@@ -0,0 +1,80 @@
+===========================================
+Create OpenStack client environment scripts
+===========================================
+
+The previous section used a combination of environment variables and
+command options to interact with the Identity service via the
+:command:`openstack` client. To increase efficiency of client
+operations, OpenStack supports simple client environment scripts also
+known as OpenRC files. These scripts typically contain common options for
+all clients, but also support unique options. For more information, see the
+`OpenStack User Guide <http://docs.openstack.org/user-guide/common/
+cli_set_environment_variables_using_openstack_rc.html>`__.
+
+To create the scripts
+~~~~~~~~~~~~~~~~~~~~~
+
+Create client environment scripts for the ``admin`` and ``demo``
+projects and users. Future portions of this guide reference these
+scripts to load appropriate credentials for client operations.
+
+#. Edit the :file:`admin-openrc.sh` file and add the following content:
+
+   .. code-block:: bash
+      :linenos:
+
+      export OS_PROJECT_DOMAIN_ID=default
+      export OS_USER_DOMAIN_ID=default
+      export OS_PROJECT_NAME=admin
+      export OS_TENANT_NAME=admin
+      export OS_USERNAME=admin
+      export OS_PASSWORD=ADMIN_PASS
+      export OS_AUTH_URL=http://controller:35357/v3
+
+   Replace ``ADMIN_PASS`` with the password you chose
+   for the ``admin`` user in the Identity service.
+
+#. Edit the :file:`demo-openrc.sh` file and add the following content:
+
+   .. code-block:: bash
+      :linenos:
+
+      export OS_PROJECT_DOMAIN_ID=default
+      export OS_USER_DOMAIN_ID=default
+      export OS_PROJECT_NAME=demo
+      export OS_TENANT_NAME=demo
+      export OS_USERNAME=demo
+      export OS_PASSWORD=DEMO_PASS
+      export OS_AUTH_URL=http://controller:5000/v3
+
+   Replace ``DEMO_PASS`` with the password you chose
+   for the ``demo`` user in the Identity service.
+
+To load client environment scripts
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To run clients as a specific project and user, you can simply load
+the associated client environment script prior to running them.
+For example:
+
+#. Load the :file:`admin-openrc.sh` file to populate
+   environment variables with the location of the Identity service
+   and the ``admin`` project and user credentials:
+
+   .. code-block:: console
+
+      $ source admin-openrc.sh
+
+#. Request an authentication token:
+
+   .. code-block:: console
+
+      $ openstack token issue
+      +------------+----------------------------------+
+      | Field      | Value                            |
+      +------------+----------------------------------+
+      | expires    | 2015-03-25T01:45:49.950092Z      |
+      | id         | cd4110152ac24bdeaa82e1443c910c36 |
+      | project_id | cf12a15c5ea84b019aec3dc45580896b |
+      | user_id    | 4d411f2291f34941b30eef9bd797505a |
+      +------------+----------------------------------+
diff --git a/doc/install-guide-rst/source/keystone-services.rst b/doc/install-guide-rst/source/keystone-services.rst
new file mode 100644
index 0000000000..59619982a0
--- /dev/null
+++ b/doc/install-guide-rst/source/keystone-services.rst
@@ -0,0 +1,3 @@
+==========================================
+Create the service entity and API endpoint
+==========================================
diff --git a/doc/install-guide-rst/source/keystone-users.rst b/doc/install-guide-rst/source/keystone-users.rst
new file mode 100644
index 0000000000..3a55d306d6
--- /dev/null
+++ b/doc/install-guide-rst/source/keystone-users.rst
@@ -0,0 +1,3 @@
+=================================
+Create projects, users, and roles
+=================================
diff --git a/doc/install-guide-rst/source/keystone-verify.rst b/doc/install-guide-rst/source/keystone-verify.rst
new file mode 100644
index 0000000000..105a87dda0
--- /dev/null
+++ b/doc/install-guide-rst/source/keystone-verify.rst
@@ -0,0 +1,182 @@
+================
+Verify operation
+================
+
+Verify operation of the Identity service before installing other
+services.
+
+.. only:: obs or ubuntu
+
+   1. For security reasons, disable the temporary authentication
+      token mechanism:
+
+      Edit the :file:`/etc/keystone/keystone-paste.ini`
+      file and remove ``admin_token_auth`` from the
+      ``[pipeline:public_api]``, ``[pipeline:admin_api]``,
+      and ``[pipeline:api_v3]`` sections.
+
+.. only:: rdo
+
+   1. For security reasons, disable the temporary authentication
+      token mechanism:
+
+      Edit the :file:`/usr/share/keystone/keystone-dist-paste.ini`
+      file and remove ``admin_token_auth`` from the
+      ``[pipeline:public_api]``, ``[pipeline:admin_api]``,
+      and ``[pipeline:api_v3]`` sections.
+
+2. Unset the temporary ``OS_TOKEN`` and ``OS_URL`` environment variables:
+
+   .. code-block:: console
+
+      $ unset OS_TOKEN OS_URL
+
+3. As the ``admin`` user, request an authentication token from
+   the Identity version 2.0 API:
+
+   .. code-block:: console
+
+      $ openstack --os-auth-url http://controller:35357 \
+        --os-project-name admin --os-username admin \
+        --os-auth-type password token issue
+      Password:
+      +------------+----------------------------------+
+      | Field      | Value                            |
+      +------------+----------------------------------+
+      | expires    | 2015-03-24T18:55:01Z             |
+      | id         | ff5ed908984c4a4190f584d826d75fed |
+      | project_id | cf12a15c5ea84b019aec3dc45580896b |
+      | user_id    | 4d411f2291f34941b30eef9bd797505a |
+      +------------+----------------------------------+
+
+   .. note::
+
+      This command uses the password for the ``admin`` user.
+
+4. The Identity version 3 API adds support for domains that contain
+   projects and users. Projects and users can use the same names in
+   different domains. Therefore, in order to use the version 3 API,
+   requests must also explicitly contain at least the ``default``
+   domain or use IDs. For simplicity, this guide explicitly uses
+   the ``default`` domain so examples can use names instead of IDs.
+
+   .. code-block:: console
+
+      $ openstack --os-auth-url http://controller:35357 \
+        --os-project-domain-id default --os-user-domain-id default \
+        --os-project-name admin --os-username admin --os-auth-type password \
+        token issue
+      Password:
+      +------------+----------------------------------+
+      | Field      | Value                            |
+      +------------+----------------------------------+
+      | expires    | 2015-03-24T18:55:01Z             |
+      | id         | ff5ed908984c4a4190f584d826d75fed |
+      | project_id | cf12a15c5ea84b019aec3dc45580896b |
+      | user_id    | 4d411f2291f34941b30eef9bd797505a |
+      +------------+----------------------------------+
+
+   .. note::
+
+      This command uses the password for the ``admin`` user.
+
+5. As the ``admin`` user, list projects to verify that the
+   ``admin`` user can execute admin-only CLI commands and
+   that the Identity service contains the projects that you
+   created in :doc:`keystone-users`:
+
+   .. code-block:: console
+
+      $ openstack --os-auth-url http://controller:35357 \
+        --os-project-name admin --os-username admin \
+        --os-auth-type password project list
+      Password:
+      +----------------------------------+---------+
+      | ID                               | Name    |
+      +----------------------------------+---------+
+      | 55cbd79c0c014c8a95534ebd16213ca1 | service |
+      | ab8ea576c0574b6092bb99150449b2d3 | demo    |
+      | cf12a15c5ea84b019aec3dc45580896b | admin   |
+      +----------------------------------+---------+
+
+   .. note::
+
+      This command uses the password for the ``admin`` user.
+
+6. As the ``admin`` user, list users to verify that the Identity service
+   contains the users that you created in :doc:`keystone-users`:
+
+   .. code-block:: console
+
+      $ openstack --os-auth-url http://controller:35357 \
+        --os-project-name admin --os-username admin \
+        --os-auth-type password user list
+      Password:
+      +----------------------------------+-------+
+      | ID                               | Name  |
+      +----------------------------------+-------+
+      | 4d411f2291f34941b30eef9bd797505a | admin |
+      | 3a81e6c8103b46709ef8d141308d4c72 | demo  |
+      +----------------------------------+-------+
+
+   .. note::
+
+      This command uses the password for the ``admin`` user.
+
+7. As the ``admin`` user, list roles to verify that the Identity service
+   contains the role that you created in :doc:`keystone-users`:
+
+   .. code-block:: console
+
+      $ openstack --os-auth-url http://controller:35357 \
+        --os-project-name admin --os-username admin \
+        --os-auth-type password role list
+      Password:
+      +----------------------------------+-------+
+      | ID                               | Name  |
+      +----------------------------------+-------+
+      | 9fe2ff9ee4384b1894a90878d3e92bab | user  |
+      | cd2cb9a39e874ea69e5d4b896eb16128 | admin |
+      +----------------------------------+-------+
+
+   .. note::
+
+      This command uses the password for the ``admin`` user.
+
+8. As the ``demo`` user, request an authentication token from
+   the Identity version 3 API:
+
+   .. code-block:: console
+
+      $ openstack --os-auth-url http://controller:5000 \
+        --os-project-domain-id default --os-user-domain-id default \
+        --os-project-name demo --os-username demo --os-auth-type password \
+        token issue
+      Password:
+      +------------+----------------------------------+
+      |  Property  |              Value               |
+      +------------+----------------------------------+
+      |   expires  |       2014-10-10T12:51:33Z       |
+      |     id     | 1b87ceae9e08411ba4a16e4dada04802 |
+      | project_id | 4aa51bb942be4dd0ac0555d7591f80a6 |
+      |  user_id   | 7004dfa0dda84d63aef81cf7f100af01 |
+      +------------+----------------------------------+
+
+   .. note::
+
+      This command uses the password for the ``demo``
+      user and API port 5000 which only allows regular (non-admin)
+      access to the Identity service API.
+
+9. As the ``demo`` user, attempt to list users
+   to verify that it cannot execute admin-only CLI commands:
+
+   .. code-block:: console
+
+      $ openstack --os-auth-url http://controller:5000 \
+        --os-project-domain-id default --os-user-domain-id default \
+        --os-project-name demo --os-username demo \
+        --os-auth-type password user list
+      Password:
+      ERROR: openstack You are not authorized to perform the
+      requested action, admin_required. (HTTP 403)
diff --git a/doc/install-guide-rst/source/keystone.rst b/doc/install-guide-rst/source/keystone.rst
index 7d7d04cdf9..c19751b9cf 100644
--- a/doc/install-guide-rst/source/keystone.rst
+++ b/doc/install-guide-rst/source/keystone.rst
@@ -1,3 +1,12 @@
 ========================
 Add the Identity service
 ========================
+
+.. toctree::
+
+   common/get_started_identity.rst
+   keystone-install.rst
+   keystone-services.rst
+   keystone-users.rst
+   keystone-verify.rst
+   keystone-openrc.rst