diff --git a/deliverables/ussuri/keystone.yaml b/deliverables/ussuri/keystone.yaml
index 993099027f..9eb551281f 100644
--- a/deliverables/ussuri/keystone.yaml
+++ b/deliverables/ussuri/keystone.yaml
@@ -5,3 +5,22 @@ team: keystone
 type: service
 repository-settings:
   openstack/keystone: {}
+cycle-highlights:
+  - The user experience for creating application credentials and trusts has
+    been greatly improved when using a federated authentication method.
+    Federated users whose role assignments come from mapped group membership
+    will have those group memberships persisted for a configurable TTL after
+    their token expires, during which time their application credentials will
+    remain valid.
+  - Keystone to Keystone assertions now contain the user's group memberships on
+    the keystone Identity Provider which can be mapped to group membership on
+    the keystone Service Provider.
+  - Federated users can now be given concrete role assignments without relying
+    on the mapping API by allowing federated users to be created directly in
+    keystone and linked to their Identity Provider.
+  - When bootstrapping a new keystone deployment, the admin role now defaults
+    to having the "immutable" option set, which prevents it from being
+    accidentally deleted or modified unless the "immutable" option is
+    deliberately removed.
+  - Keystonemiddleware no longer supports the Identity v2.0 API, which was
+    removed from keystone in previous release cycles.