diff --git a/manifests/init.pp b/manifests/init.pp
index 2c7122ce..6c3d7941 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -466,6 +466,12 @@
 #        ['saml2', 'Security Assertion Markup Language']
 #      ]
 #
+#  [*websso_choices_hide_keystone*]
+#    (optional)The WEBSSO_CHOICES option will by default include an entry for
+#    "Keystone Credentials".  Setting this option to true will hide it.
+#    Note that websso_initial_choice will need to be set to a valid option.
+#    Default to false
+#
 #  [*websso_idp_mapping*]
 #    (optional)Set the WEBSSO_IDP_MAPPING option.
 #    A dictionary of specific identity provider and protocol combinations.
@@ -634,6 +640,7 @@ class horizon(
   $websso_enabled                      = false,
   $websso_initial_choice               = undef,
   $websso_choices                      = undef,
+  $websso_choices_hide_keystone        = false,
   $websso_idp_mapping                  = undef,
   $websso_default_redirect             = false,
   $websso_default_redirect_protocol    = undef,
@@ -668,6 +675,10 @@ and usage of a quoted value is deprecated.')
     $cache_server_ip_real = inet6_prefix($cache_server_ip)
   }
 
+  if $websso_choices_hide_keystone and !$websso_initial_choice {
+    fail('websso_initial_choice is required when websso_choices_hide_keystone is true')
+  }
+
   $hypervisor_defaults = {
     'can_set_mount_point' => true,
     'can_set_password'    => false,
diff --git a/releasenotes/notes/add-option-WEBSSO-hide-keystone-10149289b2ad8c9c.yaml b/releasenotes/notes/add-option-WEBSSO-hide-keystone-10149289b2ad8c9c.yaml
new file mode 100644
index 00000000..1bb021a9
--- /dev/null
+++ b/releasenotes/notes/add-option-WEBSSO-hide-keystone-10149289b2ad8c9c.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Added a new option ``websso_choices_hide_keystone``.  This lets you hide
+    the ability to log in with Keystone-credentials when using federation.
+    Be aware that this also requires you to set ``websso_initial_choice`` to
+    a valid value.
diff --git a/templates/local_settings.py.erb b/templates/local_settings.py.erb
index 3aaf140c..e8093cf6 100644
--- a/templates/local_settings.py.erb
+++ b/templates/local_settings.py.erb
@@ -335,7 +335,9 @@ WEBSSO_INITIAL_CHOICE = "<%= @websso_initial_choice %>"
 #)
 <% if @websso_choices.kind_of?(Array) -%>
 WEBSSO_CHOICES = (
+<% if not @websso_choices_hide_keystone -%>
     ("credentials", _("Keystone Credentials")),
+<% end -%>
 <% @websso_choices.each do |r| -%>
     ("<%= r[0] -%>", _("<%= r[1] -%>")),
 <% end -%>