diff --git a/defaults/main.yml b/defaults/main.yml
index c60a8187..5579f486 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -227,6 +227,7 @@ keystone_recreate_keys: False
 ## Federation
 
 # Enable the following section on the Keystone IdP
+keystone_idp: {}
 #keystone_idp:
 #  certfile: "/etc/keystone/ssl/idp_signing_cert.pem"
 #  keyfile: "/etc/keystone/ssl/idp_signing_key.pem"
@@ -253,6 +254,7 @@ keystone_recreate_keys: False
 # Enable the following section in order to install and configure
 # Keystone as a Resource Service Provider (SP) and to configure
 # trusts with specific Identity Providers (IdP).
+keystone_sp: {}
 #keystone_sp:
 #  cert_duration_years: 5
 #  trusted_dashboard_list:
diff --git a/tasks/keystone_apache.yml b/tasks/keystone_apache.yml
index 50d806b6..413c8ea4 100644
--- a/tasks/keystone_apache.yml
+++ b/tasks/keystone_apache.yml
@@ -74,7 +74,7 @@
 - name: Enable/disable mod_shib2 for apache2
   apache2_module:
     name: shib2
-    state: "{{ ( keystone_sp is defined ) | ternary('present', 'absent') }}"
+    state: "{{ ( keystone_sp != {} ) | ternary('present', 'absent') }}"
   ignore_errors: yes
   notify:
     - Restart Apache
diff --git a/tasks/keystone_federation_sp_idp_setup.yml b/tasks/keystone_federation_sp_idp_setup.yml
index 3f725b13..c08d2edd 100644
--- a/tasks/keystone_federation_sp_idp_setup.yml
+++ b/tasks/keystone_federation_sp_idp_setup.yml
@@ -32,7 +32,7 @@
     endpoint: "{{ keystone_service_adminurl }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   when: item.domain is defined
-  with_items: keystone_federated_identities
+  with_items: "{{ keystone_federated_identities | default([]) }}"
 
 - name: Ensure project which remote IDP users are mapped onto exists
   keystone:
@@ -45,7 +45,7 @@
     endpoint: "{{ keystone_service_adminurl }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   when: item.project is defined
-  with_items: keystone_federated_identities
+  with_items: "{{ keystone_federated_identities | default([]) }}"
 
 - name: Ensure user which remote IDP users are mapped onto exists
   keystone:
@@ -63,7 +63,7 @@
     item.user is defined and
     item.password is defined and
     item.project is defined
-  with_items: keystone_federated_identities
+  with_items: "{{ keystone_federated_identities | default([]) }}"
 
 - name: Ensure Group for external IDP users exists
   keystone:
@@ -76,7 +76,7 @@
     endpoint: "{{ keystone_service_adminurl }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   when: item.group is defined
-  with_items: keystone_federated_identities
+  with_items: "{{ keystone_federated_identities | default([]) }}"
 
 - name: Ensure Role for external IDP users exists
   keystone:
@@ -90,7 +90,7 @@
   when: >
     item.group is defined and
     item.project is defined
-  with_items: keystone_federated_identities
+  with_items: "{{ keystone_federated_identities | default([]) }}"
 
 - name: Ensure Group/Project/Role mapping exists
   keystone:
@@ -106,7 +106,7 @@
   when: >
     item.group is defined and
     item.project is defined
-  with_items: keystone_federated_identities
+  with_items: "{{ keystone_federated_identities | default([]) }}"
 
 - name: Ensure mapping for external IDP attributes exists
   keystone:
@@ -119,7 +119,7 @@
     endpoint: "{{ keystone_service_adminurl }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   when: item.protocol.mapping.name is defined
-  with_items: keystone_federated_protocols
+  with_items: "{{ keystone_federated_protocols | default([]) }}"
 
 - name: Ensure external IDP
   keystone:
@@ -133,7 +133,7 @@
     endpoint: "{{ keystone_service_adminurl }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   when: item.name is defined
-  with_items: keystone_sp.trusted_idp_list
+  with_items: "{{ keystone_sp.trusted_idp_list | default([]) }}"
 
 - name: Ensure federation protocol exists
   keystone:
@@ -147,4 +147,4 @@
     endpoint: "{{ keystone_service_adminurl }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   when: item.protocol.name is defined
-  with_items: keystone_federated_protocols
+  with_items: "{{ keystone_federated_protocols | default([]) }}"
diff --git a/tasks/keystone_fernet_keys_distribute.yml b/tasks/keystone_fernet_keys_distribute.yml
index 87a76fd7..807e2072 100644
--- a/tasks/keystone_fernet_keys_distribute.yml
+++ b/tasks/keystone_fernet_keys_distribute.yml
@@ -22,4 +22,4 @@
           {{ keystone_system_user_name }}@{{ hostvars[item]['ansible_ssh_host'] }}:{{ keystone_fernet_tokens_key_repository }}/
   become: yes
   become_user: "{{ keystone_system_user_name }}"
-  with_items: groups['keystone_all'][1:]
+  with_items: "{{ groups['keystone_all'][1:] }}"
diff --git a/tasks/keystone_idp_metadata.yml b/tasks/keystone_idp_metadata.yml
index 8fa0e61a..512bb7c0 100644
--- a/tasks/keystone_idp_metadata.yml
+++ b/tasks/keystone_idp_metadata.yml
@@ -18,6 +18,6 @@
     {{ keystone_bin }}/keystone-manage saml_idp_metadata > {{ keystone_idp.idp_metadata_path }}
   become: yes
   become_user: "{{ keystone_system_user_name }}"
-  when: keystone_idp is defined
+  when: keystone_idp != {}
   notify:
-    - Restart Apache
\ No newline at end of file
+    - Restart Apache
diff --git a/tasks/keystone_idp_sp_setup.yml b/tasks/keystone_idp_sp_setup.yml
index 12aac80f..7c2ddf4d 100644
--- a/tasks/keystone_idp_sp_setup.yml
+++ b/tasks/keystone_idp_sp_setup.yml
@@ -23,7 +23,7 @@
     sp_name: "{{ item.id }}"
     sp_url: "{{ item.sp_url }}"
     sp_auth_url: "{{ item.auth_url }}"
-  with_items: keystone_idp.service_providers
+  with_items: "{{ keystone_idp.service_providers | default([]) }}"
   register: add_service_providers
   until: add_service_providers|success
   retries: 5
diff --git a/tasks/keystone_install.yml b/tasks/keystone_install.yml
index 409c364e..e9ae4228 100644
--- a/tasks/keystone_install.yml
+++ b/tasks/keystone_install.yml
@@ -58,7 +58,7 @@
   until: install_packages|success
   retries: 5
   delay: 2
-  with_items: keystone_requires_pip_packages
+  with_items: "{{ keystone_requires_pip_packages }}"
 
 - name: Get local venv checksum
   stat:
@@ -134,7 +134,7 @@
   until: install_packages|success
   retries: 5
   delay: 2
-  with_items: keystone_pip_packages
+  with_items: "{{ keystone_pip_packages }}"
   when:
     - keystone_get_venv | failed or keystone_developer_mode | bool
   notify:
diff --git a/tasks/keystone_install_apt.yml b/tasks/keystone_install_apt.yml
index 78317729..82ae68c2 100644
--- a/tasks/keystone_install_apt.yml
+++ b/tasks/keystone_install_apt.yml
@@ -30,7 +30,7 @@
   until: install_packages|success
   retries: 5
   delay: 2
-  with_items: keystone_apt_packages
+  with_items: "{{ keystone_apt_packages }}"
 
 - name: Install IdP apt packages
   apt:
@@ -40,8 +40,8 @@
   until: install_packages|success
   retries: 5
   delay: 2
-  with_items: keystone_idp_apt_packages
-  when: keystone_idp is defined
+  with_items: "{{ keystone_idp_apt_packages }}"
+  when: keystone_idp != {}
 
 - name: Install SP apt packages
   apt:
@@ -51,8 +51,8 @@
   until: install_packages|success
   retries: 5
   delay: 2
-  with_items: keystone_sp_apt_packages
-  when: keystone_sp is defined
+  with_items: "{{ keystone_sp_apt_packages }}"
+  when: keystone_sp != {}
 
 - name: Install developer mode apt packages
   apt:
@@ -62,6 +62,6 @@
   until: install_packages|success
   retries: 5
   delay: 2
-  with_items: keystone_developer_apt_packages
+  with_items: "{{ keystone_developer_apt_packages }}"
   when:
     - keystone_developer_mode | bool
diff --git a/tasks/keystone_key_distribute.yml b/tasks/keystone_key_distribute.yml
index 30f6152e..f56b647e 100644
--- a/tasks/keystone_key_distribute.yml
+++ b/tasks/keystone_key_distribute.yml
@@ -17,5 +17,5 @@
   authorized_key:
     user: "{{ keystone_system_user_name }}"
     key: "{{ hostvars[item]['keystone_pubkey'] | b64decode }}"
-  with_items: groups['keystone_all']
+  with_items: "{{ groups['keystone_all'] }}"
   when: hostvars[item]['keystone_pubkey'] is defined
diff --git a/tasks/keystone_ldap_setup.yml b/tasks/keystone_ldap_setup.yml
index f6f19754..8fa78136 100644
--- a/tasks/keystone_ldap_setup.yml
+++ b/tasks/keystone_ldap_setup.yml
@@ -23,7 +23,7 @@
     login_project_name: "{{ keystone_admin_tenant_name }}"
     endpoint: "{{ keystone_service_adminurl }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
-  with_dict: keystone_ldap
+  with_dict: "{{ keystone_ldap }}"
   run_once: true
 
 - name: Create Keystone LDAP domain configs
@@ -33,7 +33,7 @@
     owner: "{{ keystone_system_user_name }}"
     group: "{{ keystone_system_group_name }}"
     mode: "0644"
-  with_dict: keystone_ldap
+  with_dict: "{{ keystone_ldap }}"
   notify:
     - Restart Apache
 
diff --git a/tasks/keystone_pre_install.yml b/tasks/keystone_pre_install.yml
index 40d4ff0a..ce22f66a 100644
--- a/tasks/keystone_pre_install.yml
+++ b/tasks/keystone_pre_install.yml
@@ -24,7 +24,7 @@
     name: "{{ item }}"
     state: "present"
     system: "yes"
-  with_items: keystone_system_additional_groups
+  with_items: "{{ keystone_system_additional_groups }}"
 
 - name: Remove old key file(s) if found
   file:
diff --git a/tasks/main.yml b/tasks/main.yml
index c920939c..7d4cf96a 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -17,7 +17,7 @@
   fail:
     msg: "Please set the {{ item }} variable prior to applying this role."
   when: (item is undefined) or (item is none)
-  with_items: keystone_required_secrets
+  with_items: "{{ keystone_required_secrets }}"
   tags:
     - always
 
@@ -62,7 +62,7 @@
     - keystone-install
     - keystone-config
   when:
-    - keystone_sp is defined
+    - keystone_sp != {}
 
 - include: keystone_db_setup.yml
   tags:
@@ -108,7 +108,7 @@
     - keystone-config
   when:
     - keystone_service_setup | bool
-    - keystone_sp is defined
+    - keystone_sp != {}
     - inventory_hostname == groups['keystone_all'][0]
 
 - name: Flush handlers
@@ -119,4 +119,4 @@
     - keystone-install
     - keystone-config
   when:
-    - keystone_idp is defined
+    - keystone_idp != {}
diff --git a/templates/keystone-httpd.conf.j2 b/templates/keystone-httpd.conf.j2
index 9328303a..39b43044 100644
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@@ -31,7 +31,7 @@
     SSLOptions +StdEnvVars +ExportCertData
     {% endif %}
 
-    {% if keystone_sp is defined -%}
+    {% if keystone_sp != {} -%}
     ShibURLScheme {{ keystone_service_publicuri_proto }}
 
     <Location /Shibboleth.sso>
diff --git a/templates/keystone.conf.j2 b/templates/keystone.conf.j2
index 0473fc81..614f2458 100644
--- a/templates/keystone.conf.j2
+++ b/templates/keystone.conf.j2
@@ -45,7 +45,7 @@ cache_time = {{ keystone_revocation_cache_time }}
 
 
 [auth]
-{% if keystone_sp is defined %}
+{% if keystone_sp != {} %}
 methods = {{ keystone_auth_methods }},saml2
 saml2 = keystone.auth.plugins.mapped.Mapped
 {% else %}
@@ -106,7 +106,7 @@ driver = {{ keystone_token_driver }}
 [catalog]
 caching = false
 
-{% if keystone_idp is defined %}
+{% if keystone_idp != {} %}
 [saml]
 certfile = "{{ keystone_idp.certfile }}"
 keyfile = "{{ keystone_idp.keyfile }}"
@@ -157,7 +157,7 @@ rabbit_hosts = {{ keystone_rabbitmq_servers }}
 rabbit_use_ssl = {{ keystone_rabbitmq_use_ssl }}
 {% endif %}
 
-{% if keystone_sp is defined %}
+{% if keystone_sp != {} %}
 [federation]
 remote_id_attribute = Shib-Identity-Provider
 {% if keystone_sp.trusted_dashboard_list is defined %}