diff --git a/defaults/main.yml b/defaults/main.yml
index 88eeff69..4a0b837d 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -329,6 +329,7 @@ keystone_idp: {}
 keystone_sp: {}
 #keystone_sp:
 #  cert_duration_years: 5
+#  apache_mod: shibboleth  #or mod_auth_openidc
 #  trusted_dashboard_list:
 #    - "https://{{ external_lb_vip_address }}/auth/websso/"
 #    - "https://{{ horizon_server_name }}/auth/websso/"
@@ -425,6 +426,34 @@ keystone_sp: {}
 #          attributes:
 #            - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
 #              id: upn
+#
+#    - name: "keycloak-oidc-idp"
+#      oidc_provider_metadata_url: https://identity-provider/.well-known/openid-configuration
+#      oidc_client_id: keystone
+#      oidc_client_secret: secret
+#      oidc_crypto_passphrase: random string
+#      oidc_redirect_uri: https://keystone:5000/v3/OS-FEDERATION/identity_providers/keycloak-idp/protocols/openid/auth
+#      entity_ids:
+#        - 'https://identity-provider/openid-endpoint/'
+#      federated_identities:
+#        - domain: default
+#          project: fedproject
+#          group: fedgroup
+#          role: _member_
+#      protocols:
+#        - name: openid
+#          mapping:
+#            name: keycloak-oidc-idp-openid-mapping
+#            rules:
+#              - remote:
+#                  - type: OIDC-email
+#                local:
+#                  - group:
+#                      name: fedgroup
+#                      domain:
+#                        name: Default
+#                    user:
+#                      name: '{0}'
 
 keystone_service_in_ldap: false
 
diff --git a/releasenotes/notes/mod-auth-openidc-102bd253b677f3fc.yaml b/releasenotes/notes/mod-auth-openidc-102bd253b677f3fc.yaml
new file mode 100644
index 00000000..dcf27806
--- /dev/null
+++ b/releasenotes/notes/mod-auth-openidc-102bd253b677f3fc.yaml
@@ -0,0 +1,16 @@
+---
+features:
+  - Added support for using mod_auth_openidc instead of shibboleth as a
+    service provider for supporting users who have a preference to use OIDC
+    for federation. Mod_auth_openidc is the apache module that is recommended
+    in the keystone documentation for implementing openidc.
+    Added a variable to called apache_mod to keystone_sp, if left undefined
+    shibboleth will continue to be installed by default provided keystone_sp is
+    not empty. Mod_auth_openidc will not be installed unless it is spelled
+    correctly, any misspellings will result in a shibboleth install.
+    Note that installing shibboleth on Debian based metal distro deployments
+    may break services that depend on libcurl4, as shib2 requires libcurl3,
+    and they are unable to coexist. This can be resolved when there is a
+    shib3 package available in a future release of Ubuntu/Debian.
+    There is currently no support for simultaneous use of shibboleth2 and
+    mod_auth_openidc.
diff --git a/tasks/keystone_apache.yml b/tasks/keystone_apache.yml
index a9333858..fce6cbbd 100644
--- a/tasks/keystone_apache.yml
+++ b/tasks/keystone_apache.yml
@@ -32,6 +32,17 @@
     owner: "{{ keystone_apache_default_log_owner }}"
     group: "{{ keystone_apache_default_log_grp }}"
 
+- name: Place apache2 config files
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "root"
+    group: "root"
+  with_items: "{{ keystone_apache_configs }}"
+  notify:
+    - Manage LB
+    - Restart web server
+
 ## NOTE(cloudnull):
 ## Module enable/disable process is only functional on Debian and SUSE based systems.
 - name: Enable/disable apache2 modules
@@ -58,17 +69,6 @@
     - Manage LB
     - Restart web server
 
-- name: Drop apache2 config files
-  template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: "root"
-    group: "root"
-  with_items: "{{ keystone_apache_configs }}"
-  notify:
-    - Manage LB
-    - Restart web server
-
 - name: Disable default apache site
   file:
     path: "{{ item }}"
diff --git a/tasks/keystone_federation_sp_setup.yml b/tasks/keystone_federation_sp_shib_setup.yml
similarity index 100%
rename from tasks/keystone_federation_sp_setup.yml
rename to tasks/keystone_federation_sp_shib_setup.yml
diff --git a/tasks/main.yml b/tasks/main.yml
index 82fa0b2d..e5e9f420 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -48,6 +48,21 @@
   tags:
     - always
 
+- name: Fact for apache module shibboleth to be installed
+  set_fact:
+    keystone_sp_apache_mod_shib:
+      "{{ (keystone_sp != {} and
+      (keystone_sp.apache_mod is undefined or
+      (keystone_sp.apache_mod is defined and keystone_sp.apache_mod != 'mod_auth_openidc'))
+      ) | ternary('true', 'false') }}"
+
+- name: Fact for apache module mod_auth_openidc to be installed
+  set_fact:
+    keystone_sp_apache_mod_auth_openidc:
+      "{{ (keystone_sp != {} and
+      keystone_sp.apache_mod is defined and keystone_sp.apache_mod == 'mod_auth_openidc')
+      | ternary('true', 'false') }}"
+
 - import_tasks: db_setup.yml
   when:
     - "keystone_services['keystone-wsgi-public']['group'] in group_names"
@@ -123,8 +138,9 @@
   tags:
     - keystone-config
 
-- import_tasks: keystone_federation_sp_setup.yml
-  when: keystone_sp != {}
+- import_tasks: keystone_federation_sp_shib_setup.yml
+  when:
+    - keystone_sp_apache_mod_shib
   tags:
     - keystone-config
 
diff --git a/templates/keystone-httpd.conf.j2 b/templates/keystone-httpd.conf.j2
index a75f38e3..d77895c3 100644
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@@ -18,7 +18,7 @@ Listen {{ keystone_service_port }}
     Header set Content-Security-Policy "default-src 'self' https: wss:;"
     {% if keystone_sp != {} -%}
     Header set Content-Security-Policy "script-src 'sha256-oBahlBFQem+nMs1JwgcBB03Hy8nRh5e8qEGTOcxmAuM=';"
-    {% endif %}
+    {% endif -%}
     Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}"
 
     {% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%}
@@ -33,9 +33,36 @@ Listen {{ keystone_service_port }}
     SSLHonorCipherOrder On
     SSLCipherSuite {{ keystone_ssl_cipher_suite }}
     SSLOptions +StdEnvVars +ExportCertData
+    {% endif -%}
+    {% if keystone_sp_apache_mod_auth_openidc -%}
+    OIDCClaimPrefix "{{ keystone_sp.trusted_idp_list.0.oidc_claim_prefix | default('OIDC-') }}"
+    OIDCResponseType "{{ keystone_sp.trusted_idp_list.0.oidc_resp_type | default('id_token') }}"
+    OIDCScope "{{ keystone_sp.trusted_idp_list.0.idc_scope | default('openid email profile') }}"
+    OIDCProviderMetadataURL {{ keystone_sp.trusted_idp_list.0.oidc_provider_metadata_url }}
+    OIDCClientID {{ keystone_sp.trusted_idp_list.0.oidc_client_id }}
+    OIDCClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_client_secret }}
+    OIDCCryptoPassphrase {{ keystone_sp.trusted_idp_list.0.oidc_crypto_passphrase }}
+    OIDCRedirectURI {{ keystone_sp.trusted_idp_list.0.oidc_redirect_uri }}
+    {% if keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri is defined -%}
+    OIDCOAuthVerifyJwksUri {{ keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri }}
     {% endif %}
 
-    {% if keystone_sp != {} -%}
+    <Location /v3/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/auth>
+      Require valid-user
+      AuthType auth-openidc
+    </Location>
+
+    <Location /v3/auth/OS-FEDERATION/websso/openid>
+      Require valid-user
+      AuthType openid-connect
+    </Location>
+
+    <Location /v3/auth/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/websso>
+      Require valid-user
+      AuthType openid-connect
+    </Location>
+    {% endif %}
+    {%- if keystone_sp_apache_mod_shib -%}
     ShibURLScheme {{ keystone_service_publicuri_proto }}
 
     <Location /Shibboleth.sso>
@@ -57,19 +84,21 @@ Listen {{ keystone_service_port }}
         ShibExportAssertion Off
         Require valid-user
     </LocationMatch>
-
     {% endif %}
 
+    {% if keystone_sp != {} -%}
     <Directory /var/www/cgi-bin/keystone>
         Options Indexes FollowSymLinks MultiViews
         AllowOverride All
         Order allow,deny
         allow from all
     </Directory>
-
-    {% if keystone_sp != {} -%}
-    ProxyPass /Shibboleth.sso !
     {% endif %}
+
+    {% if keystone_sp_apache_mod_shib -%}
+    ProxyPass /Shibboleth.sso !
+    {% endif -%}
+
     ProxyPass / uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}/
 
 </VirtualHost>
diff --git a/templates/keystone.conf.j2 b/templates/keystone.conf.j2
index 5b767fab..c01c98a9 100644
--- a/templates/keystone.conf.j2
+++ b/templates/keystone.conf.j2
@@ -43,11 +43,7 @@ cache_time = {{ keystone_revocation_cache_time }}
 
 
 [auth]
-{% if keystone_sp != {} %}
-methods = {{ keystone_auth_methods }},saml2
-{% else %}
-methods = {{ keystone_auth_methods }}
-{% endif %}
+methods = {{ keystone_auth_methods }}{% if keystone_sp_apache_mod_shib %},saml2{% endif %}{% if keystone_sp_apache_mod_auth_openidc %},openid{% endif %}
 
 
 {% if keystone_database_enabled | bool %}
@@ -132,7 +128,11 @@ key_repository = {{ keystone_credential_key_repository }}
 
 {% if keystone_sp != {} %}
 [federation]
+{% if keystone_sp_apache_mod_auth_openidc %}
+remote_id_attribute = HTTP_OIDC_ISS
+{% elif keystone_sp_apache_mod_shib %}
 remote_id_attribute = Shib-Identity-Provider
+{% endif %}
 {% if keystone_sp.trusted_dashboard_list is defined %}
 {% for item in keystone_sp.trusted_dashboard_list %}
 trusted_dashboard = {{ item }}
diff --git a/vars/debian.yml b/vars/debian.yml
index 9aeca2eb..01811053 100644
--- a/vars/debian.yml
+++ b/vars/debian.yml
@@ -57,7 +57,9 @@ keystone_idp_distro_packages:
   - xmlsec1
 
 keystone_sp_distro_packages:
-  - libapache2-mod-shib2
+  - "{{ keystone_sp_apache_mod_shib | ternary('libcurl3', 'libcurl4') }}"
+  - "{{ keystone_sp_apache_mod_auth_openidc | ternary('libapache2-mod-auth-openidc',
+                                                      'libapache2-mod-shib2') }}"
 
 keystone_developer_mode_distro_packages:
   - build-essential
@@ -86,7 +88,9 @@ keystone_apache_modules:
   - name: "ssl"
     state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}"
   - name: "shib2"
-    state: "{{ ( keystone_sp != {} ) | ternary('present', 'absent') }}"
+    state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
+  - name: "auth_openidc"
+    state: "{{ keystone_sp_apache_mod_auth_openidc | ternary('present', 'absent') }}"
   - name: "proxy_uwsgi"
     state: "present"
   - name: "headers"
diff --git a/vars/redhat.yml b/vars/redhat.yml
index c15d98a4..14d7b62e 100644
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@@ -50,7 +50,8 @@ keystone_idp_distro_packages:
   - xmlsec1
 
 keystone_sp_distro_packages:
-  - shibboleth
+  - "{{ keystone_sp_apache_mod_auth_openidc | ternary('mod_auth_openidc',
+                                                      'shibboleth') }}"
 
 keystone_developer_mode_distro_packages:
   - gcc
diff --git a/vars/suse.yml b/vars/suse.yml
index 65cea06f..e36d578f 100644
--- a/vars/suse.yml
+++ b/vars/suse.yml
@@ -51,7 +51,8 @@ keystone_idp_distro_packages:
   - xmlsec1
 
 keystone_sp_distro_packages:
-  - shibboleth-sp
+  - "{{ keystone_sp_apache_mod_auth_openidc | ternary('apache2-mod_auth_openidc',
+                                                      'shibboleth-sp') }}"
 
 keystone_developer_mode_distro_packages:
   - "{{ (ansible_distribution_version is version ('42', '>=')) | ternary('patterns-openSUSE-devel_basis', 'patterns-devel-base-devel_basis') }}"
@@ -85,7 +86,9 @@ keystone_apache_modules:
   - name: "ssl"
     state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}"
   - name: "shib2"
-    state: "{{ ( keystone_sp != {} ) | ternary('present', 'absent') }}"
+    state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
+  - name: "auth_openidc"
+    state: "{{ keystone_sp_apache_mod_auth_openidc | ternary('present', 'absent') }}"
   - name: "proxy"
     state: "present"
   - name: "proxy_http"