diff --git a/keystone_tempest_plugin/config.py b/keystone_tempest_plugin/config.py
index 87872c5..d3e3c02 100644
--- a/keystone_tempest_plugin/config.py
+++ b/keystone_tempest_plugin/config.py
@@ -20,6 +20,11 @@ identity_feature_option = [
                 default=False,
                 help='Does the environment support the Federated Identity '
                      'feature?'),
+    cfg.BoolOpt('external_idp',
+                default=True,
+                help='Whether to test federated scenarios against an external '
+                     'identity provider. If disabled, only '
+                     'Keystone-to-Keystone tests will be enabled.'),
 ]
 
 fed_scenario_group = cfg.OptGroup(name='fed_scenario',
diff --git a/keystone_tempest_plugin/tests/scenario/test_federated_authentication.py b/keystone_tempest_plugin/tests/scenario/test_federated_authentication.py
index 89af4ce..e930205 100644
--- a/keystone_tempest_plugin/tests/scenario/test_federated_authentication.py
+++ b/keystone_tempest_plugin/tests/scenario/test_federated_authentication.py
@@ -183,14 +183,10 @@ class TestSaml2EcpFederatedAuthentication(base.BaseIdentityTest):
 
         return resp
 
-    @testtools.skipUnless(CONF.identity_feature_enabled.federation,
-                          "Federated Identity feature not enabled")
-    def test_request_unscoped_token(self):
+    def _test_request_unscoped_token(self):
         self._request_unscoped_token()
 
-    @testtools.skipUnless(CONF.identity_feature_enabled.federation,
-                          "Federated Identity feature not enabled")
-    def test_request_scoped_token(self):
+    def _test_request_scoped_token(self):
         resp = self._request_unscoped_token()
         token_id = resp.headers['X-Subject-Token']
 
@@ -203,6 +199,24 @@ class TestSaml2EcpFederatedAuthentication(base.BaseIdentityTest):
             project_id=projects[0]['id'], token=token_id)
 
 
+class TestSaml2FederatedExternalAuthentication(
+    TestSaml2EcpFederatedAuthentication):
+
+    @testtools.skipUnless(CONF.identity_feature_enabled.federation,
+                          "Federated Identity feature not enabled")
+    @testtools.skipUnless(CONF.identity_feature_enabled.external_idp,
+                          "External identity provider is not available")
+    def test_request_unscoped_token(self):
+        self._test_request_unscoped_token()
+
+    @testtools.skipUnless(CONF.identity_feature_enabled.federation,
+                          "Federated Identity feature not enabled")
+    @testtools.skipUnless(CONF.identity_feature_enabled.external_idp,
+                          "External identity provider is not available")
+    def test_request_scoped_token(self):
+        self._test_request_scoped_token()
+
+
 class TestK2KFederatedAuthentication(TestSaml2EcpFederatedAuthentication):
 
     def setUp(self):
@@ -253,3 +267,13 @@ class TestK2KFederatedAuthentication(TestSaml2EcpFederatedAuthentication):
         self.auth_client.expected_success(200, resp.status)
 
         return etree.XML(saml), self.sp_url
+
+    @testtools.skipUnless(CONF.identity_feature_enabled.federation,
+                          "Federated Identity feature not enabled")
+    def test_request_unscoped_token(self):
+        self._test_request_unscoped_token()
+
+    @testtools.skipUnless(CONF.identity_feature_enabled.federation,
+                          "Federated Identity feature not enabled")
+    def test_request_scoped_token(self):
+        self._test_request_scoped_token()