diff --git a/manifests/federation/mellon.pp b/manifests/federation/mellon.pp
index f6cfc86a9..670319680 100644
--- a/manifests/federation/mellon.pp
+++ b/manifests/federation/mellon.pp
@@ -46,15 +46,28 @@
 #   accepts latest or specific versions.
 #   Defaults to present.
 #
+# [*enable_websso*]
+#   (optional) Wheater or not to enable Web Single Sign-On (SSO)
+#   Defaults to false
+#
+# [*trusted_dashboards*]
+#   (optional) URL list of trusted horizon servers.
+#   This setting ensures that keystone only sends token data back to trusted
+#   servers. This is performed as a precaution, specifically to prevent man-in-
+#   the-middle (MITM) attacks.
+#   Defaults to undef
+#
 class keystone::federation::mellon (
   $methods,
   $idp_name,
   $protocol_name,
-  $admin_port     = false,
-  $main_port      = true,
-  $module_plugin  = 'keystone.auth.plugins.mapped.Mapped',
-  $template_order = 331,
-  $package_ensure = present,
+  $admin_port         = false,
+  $main_port          = true,
+  $module_plugin      = 'keystone.auth.plugins.mapped.Mapped',
+  $template_order     = 331,
+  $package_ensure     = present,
+  $enable_websso      = false,
+  $trusted_dashboards = undef,
 ) {
 
   include ::apache
@@ -81,6 +94,7 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even
 
   validate_bool($admin_port)
   validate_bool($main_port)
+  validate_bool($enable_websso)
 
   if( !$admin_port and !$main_port){
     fail('No VirtualHost port to configure, please choose at least one.')
@@ -91,6 +105,16 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even
     'auth/saml2':   value => $module_plugin;
   }
 
+  if($enable_websso){
+    if( !trusted_dashboards){
+      fail('No trusted dashboard specified, please add at least one.')
+    }
+    keystone_config {
+      'mapped/remote_id_attribute': value => 'MELLON_IDP';
+      'federation/trusted_dashboard': value => join(any2array($trusted_dashboards),',');
+    }
+  }
+
   ensure_packages([$::keystone::params::mellon_package_name], {
     ensure => $package_ensure,
     tag    => 'keystone-support-package',
diff --git a/releasenotes/notes/mellon-websso-support-8c367e5b732ffbf3.yaml b/releasenotes/notes/mellon-websso-support-8c367e5b732ffbf3.yaml
new file mode 100644
index 000000000..b37f3e456
--- /dev/null
+++ b/releasenotes/notes/mellon-websso-support-8c367e5b732ffbf3.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - Federation mellon support Web Single Sign-On (SSO)
+    When configuring federation using mellon enable setup of Web Single
+    Sign-On.
diff --git a/spec/classes/keystone_federation_mellon_spec.rb b/spec/classes/keystone_federation_mellon_spec.rb
index 05802552c..40bf50772 100644
--- a/spec/classes/keystone_federation_mellon_spec.rb
+++ b/spec/classes/keystone_federation_mellon_spec.rb
@@ -89,6 +89,33 @@ describe 'keystone::federation::mellon' do
         :order  => params[:template_order],
       })}
     end
+
+    context 'with websso enabled' do
+      before do
+        params.merge!({
+          :enable_websso => true,
+          :trusted_dashboards => [
+            'http://acme.horizon.com/auth/websso/',
+            'http://beta.horizon.com/auth/websso/',
+          ],
+        })
+      end
+
+      it 'should have basic params for mellon in Keystone configuration' do
+        is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2')
+        is_expected.to contain_keystone_config('auth/saml2').with_value('keystone.auth.plugins.mapped.Mapped')
+      end
+
+      it 'should have parameters for websso in Keystone configuration' do
+        is_expected.to contain_keystone_config('mapped/remote_id_attribute').with_value('MELLON_IDP')
+        is_expected.to contain_keystone_config('federation/trusted_dashboard').with_value('http://acme.horizon.com/auth/websso/,http://beta.horizon.com/auth/websso/')
+      end
+
+      it { is_expected.to contain_concat__fragment('configure_mellon_on_port_5000').with({
+        :target => "10-keystone_wsgi_main.conf",
+        :order  => params[:template_order],
+      })}
+    end
   end
 
   on_supported_os({
diff --git a/templates/mellon.conf.erb b/templates/mellon.conf.erb
index 259bcd824..56f18280b 100644
--- a/templates/mellon.conf.erb
+++ b/templates/mellon.conf.erb
@@ -14,3 +14,16 @@
       AuthType "Mellon"
       MellonEnable "auth"
   </Location>
+
+<% if @enable_websso -%>
+  <Location ~ "/v3/auth/OS-FEDERATION/websso/mapped">
+    AuthType Mellon
+    MellonEnable auth
+    Require valid-user
+  </Location>
+  <Location ~ "/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::mellon::idp_name']-%>/protocols/mapped/websso">
+    AuthType Mellon
+    MellonEnable auth
+    Require valid-user
+  </Location>
+<% end -%>