In a 2014 blog post, OpenStack developer Nathan Kinder famously (and convincingly) argued that Keystone is not an authentication service. In this post, Kinder describes the deployment pattern of placing the
Keystone service behind an Apache HTTP server, which uses native modules to perform authentication. Kinder makes two arguments in his post:
Most people use some kind of external authentication system with OpenStack
The reference authentication system (the SQL plugin) doesn't have any of the features that we'd expect from an authentication service
Both of these arguments have been proven in our experience; the first integration that most of the organizations we work with tackle is that of the IdM service.