Deep Dive and Practice into Keystone Federated Authentication in China Mobile

Now keystone has supported federated authtication in three types and they are based on SAML2.0, OpenID Connect and LDAP and Kerberos. Which way is best for hybrid authentication among server resource pool? To each protocol, how to design the process and strategy of identity? How can we combine the third party trusted certification center in China Mobile? We did a number of practice in server resource pool in China, and each resource pool had about 3 keystone nodes, 200 compute nodes, 10 controll