diff --git a/manifests/keystone/authtoken.pp b/manifests/keystone/authtoken.pp
index f5f9d7e..0a6379a 100755
--- a/manifests/keystone/authtoken.pp
+++ b/manifests/keystone/authtoken.pp
@@ -4,13 +4,14 @@
 #
 # === Parameters
 #
-# [*password*]
-#   (Required) Password to create for the service user
-#
 # [*username*]
 #   (Optional) The name of the service user
 #   Defaults to 'magnum'
 #
+# [*password*]
+#   (Required) Password to create for the service user
+#   Defaults to $::os_service_default
+#
 # [*auth_url*]
 #   (Optional) The URL to use for authentication.
 #   Defaults to 'http://localhost:5000'
@@ -29,7 +30,8 @@
 #
 # [*insecure*]
 #   (Optional) If true, explicitly allow TLS without checking server cert
-#   against any certificate authorities.  WARNING: not recommended.  Use with caution.
+#   against any certificate authorities.  WARNING: not recommended.  Use with
+#   caution.
 #   Defaults to $::os_service_default
 #
 # [*auth_section*]
@@ -53,7 +55,8 @@
 #   Defaults to $::os_service_default.
 #
 # [*cafile*]
-#   (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs connections.
+#   (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
+#   connections.
 #   Defaults to $::os_service_default.
 #
 # [*certfile*]
@@ -62,8 +65,8 @@
 #
 # [*delay_auth_decision*]
 #   (Optional) Do not handle authorization requests within the middleware, but
-#   delegate the authorization decision to downstream WSGI components.
-#   Boolean value
+#   delegate the authorization decision to downstream WSGI components. Boolean
+#   value
 #   Defaults to $::os_service_default.
 #
 # [*enforce_token_bind*]
@@ -183,8 +186,8 @@
 #   Defaults to undef.
 #
 class magnum::keystone::authtoken(
-  $password,
   $username                       = 'magnum',
+  $password                       = $::os_service_default,
   $auth_url                       = 'http://localhost:5000',
   $project_name                   = 'services',
   $user_domain_name               = 'Default',
@@ -223,6 +226,10 @@ class magnum::keystone::authtoken(
 
   include ::magnum::deps
 
+  if is_service_default($password) {
+    fail('Please set password for magnum service user')
+  }
+
   if $check_revocations_for_cached {
     warning('check_revocations_for_cached parameter is deprecated, has no effect and will be removed in the future.')
   }
@@ -242,12 +249,16 @@ class magnum::keystone::authtoken(
     auth_section                   => $auth_section,
     user_domain_name               => $user_domain_name,
     project_domain_name            => $project_domain_name,
+    insecure                       => $insecure,
     cache                          => $cache,
+    cafile                         => $cafile,
+    certfile                       => $certfile,
     delay_auth_decision            => $delay_auth_decision,
     enforce_token_bind             => $enforce_token_bind,
     http_connect_timeout           => $http_connect_timeout,
     http_request_max_retries       => $http_request_max_retries,
     include_service_catalog        => $include_service_catalog,
+    keyfile                        => $keyfile,
     memcache_pool_conn_get_timeout => $memcache_pool_conn_get_timeout,
     memcache_pool_dead_retry       => $memcache_pool_dead_retry,
     memcache_pool_maxsize          => $memcache_pool_maxsize,
@@ -262,11 +273,7 @@ class magnum::keystone::authtoken(
     token_cache_time               => $token_cache_time,
     service_token_roles_required   => $service_token_roles_required,
   }
-
   magnum_config {
-    'keystone_authtoken/admin_tenant_name': value => $project_name;
-    'keystone_authtoken/admin_user'       : value => $username;
-    'keystone_authtoken/admin_password'   : value => $password, secret => true;
     'keystone_auth/cafile'                : value => $cafile;
     'keystone_auth/keyfile'               : value => $keyfile;
     'keystone_auth/certfile'              : value => $certfile;
diff --git a/spec/classes/magnum_keystone_authtoken_spec.rb b/spec/classes/magnum_keystone_authtoken_spec.rb
index 4ef6572..eb6b608 100755
--- a/spec/classes/magnum_keystone_authtoken_spec.rb
+++ b/spec/classes/magnum_keystone_authtoken_spec.rb
@@ -19,21 +19,22 @@ describe 'magnum::keystone::authtoken' do
         is_expected.to contain_magnum_config('keystone_authtoken/password').with_value('magnum_password')
         is_expected.to contain_magnum_config('keystone_authtoken/auth_url').with_value('http://localhost:5000')
         is_expected.to contain_magnum_config('keystone_authtoken/project_name').with_value('services')
-        is_expected.to contain_magnum_config('keystone_authtoken/admin_user').with_value('magnum')
-        is_expected.to contain_magnum_config('keystone_authtoken/admin_password').with_value('magnum_password')
-        is_expected.to contain_magnum_config('keystone_authtoken/admin_tenant_name').with_value('services')
         is_expected.to contain_magnum_config('keystone_authtoken/user_domain_name').with_value('Default')
         is_expected.to contain_magnum_config('keystone_authtoken/project_domain_name').with_value('Default')
+        is_expected.to contain_magnum_config('keystone_authtoken/insecure').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_magnum_config('keystone_authtoken/auth_section').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_magnum_config('keystone_authtoken/auth_type').with_value('password')
         is_expected.to contain_magnum_config('keystone_authtoken/www_authenticate_uri').with_value('http://localhost:5000')
         is_expected.to contain_magnum_config('keystone_authtoken/auth_version').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_magnum_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_magnum_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_magnum_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_magnum_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_magnum_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_magnum_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/keyfile').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_magnum_config('keystone_authtoken/memcache_pool_conn_get_timeout').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_magnum_config('keystone_authtoken/memcache_pool_dead_retry').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_magnum_config('keystone_authtoken/memcache_pool_maxsize').with_value('<SERVICE DEFAULT>')
@@ -98,20 +99,21 @@ describe 'magnum::keystone::authtoken' do
         is_expected.to contain_magnum_config('keystone_authtoken/password').with_value(params[:password]).with_secret(true)
         is_expected.to contain_magnum_config('keystone_authtoken/auth_url').with_value(params[:auth_url])
         is_expected.to contain_magnum_config('keystone_authtoken/project_name').with_value(params[:project_name])
-        is_expected.to contain_magnum_config('keystone_authtoken/admin_user').with_value(params[:username])
-        is_expected.to contain_magnum_config('keystone_authtoken/admin_password').with_value(params[:password]).with_secret(true)
-        is_expected.to contain_magnum_config('keystone_authtoken/admin_tenant_name').with_value(params[:project_name])
         is_expected.to contain_magnum_config('keystone_authtoken/user_domain_name').with_value(params[:user_domain_name])
         is_expected.to contain_magnum_config('keystone_authtoken/project_domain_name').with_value(params[:project_domain_name])
+        is_expected.to contain_magnum_config('keystone_authtoken/insecure').with_value(params[:insecure])
         is_expected.to contain_magnum_config('keystone_authtoken/auth_section').with_value(params[:auth_section])
         is_expected.to contain_magnum_config('keystone_authtoken/auth_type').with_value(params[:auth_type])
         is_expected.to contain_magnum_config('keystone_authtoken/auth_version').with_value(params[:auth_version])
         is_expected.to contain_magnum_config('keystone_authtoken/cache').with_value(params[:cache])
+        is_expected.to contain_magnum_config('keystone_authtoken/cafile').with_value(params[:cafile])
+        is_expected.to contain_magnum_config('keystone_authtoken/certfile').with_value(params[:certfile])
         is_expected.to contain_magnum_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
         is_expected.to contain_magnum_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
         is_expected.to contain_magnum_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
         is_expected.to contain_magnum_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
         is_expected.to contain_magnum_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])
+        is_expected.to contain_magnum_config('keystone_authtoken/keyfile').with_value(params[:keyfile])
         is_expected.to contain_magnum_config('keystone_authtoken/memcache_pool_conn_get_timeout').with_value(params[:memcache_pool_conn_get_timeout])
         is_expected.to contain_magnum_config('keystone_authtoken/memcache_pool_dead_retry').with_value(params[:memcache_pool_dead_retry])
         is_expected.to contain_magnum_config('keystone_authtoken/memcache_pool_maxsize').with_value(params[:memcache_pool_maxsize])