diff --git a/environments/enable-federation-openidc.yaml b/environments/enable-federation-openidc.yaml
index 480721027e..6b9aa06342 100644
--- a/environments/enable-federation-openidc.yaml
+++ b/environments/enable-federation-openidc.yaml
@@ -32,7 +32,7 @@ parameter_defaults:
 
   # The url that points to your OpenID Connect provider metadata
   # Type: string
-  KeystoneOpenIdcProviderMetadataUrl: https://myidp.example.test/metadata
+  KeystoneOpenIdcProviderMetadataUrl: https://myidp.example.test/auth/realms/openstack/.well-known/openid-configuration
 
   # Attribute to be used to obtain the entity ID of the Identity Provider from the environment.
   # Type: string
@@ -44,7 +44,19 @@ parameter_defaults:
 
   # A list of dashboard URLs trusted for single sign-on.
   # Type: comma_delimited_list
-  KeystoneTrustedDashboards: https://dashboard.example.test
+  KeystoneTrustedDashboards: https://dashboard.example.test/dashboard/auth/websso/
+
+  # Specifies the list of SSO authentication choices to present. Each item is a list of an SSO choice identifier and a display message.
+  # Type: json
+  WebSSOChoices: [['OIDC', 'OpenID Connect']]
+
+  # Specifies a mapping from SSO authentication choice to identity provider and protocol.  The identity provider and protocol names must match the resources defined in keystone.
+  # Type: json
+  WebSSOIDPMapping: {'OIDC': ['myidp', 'openid']}
+
+  # The initial authentication choice to select by default
+  # Type: string
+  WebSSOInitialChoice: OIDC
 
   # ******************************************************
   # Static parameters - these are values that must be
@@ -58,6 +70,10 @@ parameter_defaults:
   # Type: boolean
   KeystoneOpenIdcEnable: True
 
+  # Enable support for Web Single Sign-On
+  # Type: boolean
+  WebSSOEnable: True
+
   # *********************
   # End static parameters
   # *********************
diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml
index 8db8c328cd..5784415cfb 100644
--- a/puppet/services/horizon.yaml
+++ b/puppet/services/horizon.yaml
@@ -89,10 +89,33 @@ parameters:
     default: ''
     description: Horizon has a global overrides mechanism available to perform customizations
     type: string
+  WebSSOEnable:
+    default: false
+    type: boolean
+    description: Enable support for Web Single Sign-On
+  WebSSOInitialChoice:
+    default: 'OIDC'
+    type: string
+    description: The initial authentication choice to select by default
+  WebSSOChoices:
+    default:
+    - ['OIDC', 'OpenID Connect']
+    type: json
+    description: Specifies the list of SSO authentication choices to present.
+                 Each item is a list of an SSO choice identifier and a display
+                 message.
+  WebSSOIDPMapping:
+    default:
+      'OIDC': ['myidp', 'openid']
+    type: json
+    description: Specifies a mapping from SSO authentication choice to identity
+                 provider and protocol.  The identity provider and protocol names
+                 must match the resources defined in keystone.
 
 conditions:
 
   debug_unset: {equals : [{get_param: Debug}, '']}
+  websso_enabled: {equals : [{get_param: WebSSOEnable}, True]}
 
 outputs:
   role_data:
@@ -142,6 +165,19 @@ outputs:
           horizon::listen_ssl: {get_param: EnableInternalTLS}
           horizon::horizon_ca: {get_param: InternalTLSCAFile}
           horizon::customization_module: {get_param: HorizonCustomizationModule}
+        -
+          if:
+          - websso_enabled
+          -
+              horizon::websso_enabled:
+                get_param: WebSSOEnable
+              horizon::websso_initial_choice:
+                get_param: WebSSOInitialChoice
+              horizon::websso_choices:
+                get_param: WebSSOChoices
+              horizon::websso_idp_mapping:
+                get_param: WebSSOIDPMapping
+          - {}
         -
           if:
           - debug_unset
diff --git a/sample-env-generator/openidc.yaml b/sample-env-generator/openidc.yaml
index 20a7d5dff1..5fc5b52673 100644
--- a/sample-env-generator/openidc.yaml
+++ b/sample-env-generator/openidc.yaml
@@ -16,18 +16,26 @@ environments:
           - KeystoneOpenIdcCryptoPassphrase
           - KeystoneOpenIdcResponseType
           - KeystoneOpenIdcRemoteIdAttribute
+      puppet/services/horizon.yaml:
+        parameters:
+          - WebSSOEnable
+          - WebSSOInitialChoice
+          - WebSSOChoices
+          - WebSSOIDPMapping
     sample_values:
       KeystoneFederationEnable: True
       KeystoneOpenIdcEnable: True
+      WebSSOEnable: True
       KeystoneAuthMethods: 'password,token,openid'
-      KeystoneTrustedDashboards: 'https://dashboard.example.test'
+      KeystoneTrustedDashboards: 'https://dashboard.example.test/dashboard/auth/websso/'
       KeystoneOpenIdcIdpName: 'myidp'
-      KeystoneOpenIdcProviderMetadataUrl: 'https://myidp.example.test/metadata'
+      KeystoneOpenIdcProviderMetadataUrl: 'https://myidp.example.test/auth/realms/openstack/.well-known/openid-configuration'
       KeystoneOpenIdcClientId: 'myclientid'
       KeystoneOpenIdcClientSecret: 'myclientsecret'
     static:
       - KeystoneFederationEnable
       - KeystoneOpenIdcEnable
+      - WebSSOEnable
     description: |
       This is an example template on how to configure keystone federation for
       the OpenID Connect protocol.  You must modify the parameters to use