diff --git a/keystoneclient/auth/identity/v3.py b/keystoneclient/auth/identity/v3.py
index cc3a62ce0..0375c489e 100644
--- a/keystoneclient/auth/identity/v3.py
+++ b/keystoneclient/auth/identity/v3.py
@@ -39,6 +39,8 @@ class Auth(base.BaseIdentityPlugin):
     :param string project_domain_name: Project's domain name for project.
     :param bool reauthenticate: Allow fetching a new token if the current one
                                 is going to expire. (optional) default True
+    :param bool include_catalog: Include the service catalog in the returned
+                                 token. (optional) default True.
     """
 
     @utils.positional()
@@ -50,7 +52,8 @@ class Auth(base.BaseIdentityPlugin):
                  project_name=None,
                  project_domain_id=None,
                  project_domain_name=None,
-                 reauthenticate=True):
+                 reauthenticate=True,
+                 include_catalog=True):
         super(Auth, self).__init__(auth_url=auth_url,
                                    reauthenticate=reauthenticate)
 
@@ -62,6 +65,7 @@ class Auth(base.BaseIdentityPlugin):
         self.project_name = project_name
         self.project_domain_id = project_domain_id
         self.project_domain_name = project_domain_name
+        self.include_catalog = include_catalog
 
     @property
     def token_url(self):
@@ -112,8 +116,14 @@ class Auth(base.BaseIdentityPlugin):
         elif self.trust_id:
             body['auth']['scope'] = {'OS-TRUST:trust': {'id': self.trust_id}}
 
-        _logger.debug('Making authentication request to %s', self.token_url)
-        resp = session.post(self.token_url, json=body, headers=headers,
+        # NOTE(jamielennox): we add nocatalog here rather than in token_url
+        # directly as some federation plugins require the base token_url
+        token_url = self.token_url
+        if not self.include_catalog:
+            token_url += '?nocatalog'
+
+        _logger.debug('Making authentication request to %s', token_url)
+        resp = session.post(token_url, json=body, headers=headers,
                             authenticated=False, log=False, **rkwargs)
 
         try:
diff --git a/keystoneclient/tests/auth/test_identity_v3.py b/keystoneclient/tests/auth/test_identity_v3.py
index d869dba18..c0d4a1a1a 100644
--- a/keystoneclient/tests/auth/test_identity_v3.py
+++ b/keystoneclient/tests/auth/test_identity_v3.py
@@ -451,3 +451,20 @@ class V3IdentityPlugin(utils.TestCase):
         self.assertEqual(self.TEST_TOKEN, s.get_token())
 
         self.assertNotIn(password, self.logger.output)
+
+    def test_sends_nocatalog(self):
+        del self.TEST_RESPONSE_DICT['token']['catalog']
+        self.stub_auth(json=self.TEST_RESPONSE_DICT)
+
+        a = v3.Password(self.TEST_URL,
+                        username=self.TEST_USER,
+                        password=self.TEST_PASS,
+                        include_catalog=False)
+        s = session.Session(auth=a)
+
+        s.get_token()
+
+        auth_url = self.TEST_URL + '/auth/tokens'
+        self.assertEqual(auth_url, a.token_url)
+        self.assertEqual(auth_url + '?nocatalog',
+                         self.requests.last_request.url)