With the UUID token provider and WebSSO enabled. A token obtain via WebSSO will not be able to validate in Keystone. In the Keystone log, you'll see something similar to these.
46386 (keystone.token.providers.common): 2018-03-23 20:24:09,581 DEBUG common _populate_roles User 7e93953eda38423f919d83da2544c683 has no access to project 8d344d1178964026b20be32438b484be
46386 (keystone.token.provider): 2018-03-23 20:24:09,581 DEBUG provider validate_token Unable to validate token: The request you have made requires authentication.
46386 (keystone.common.wsgi): 2018-03-23 20:24:09,583 WARNING wsgi __call__ Could not find token: {u'tenant': {u'domain': {u'id': u'6c30c2dba285403e8aa70de9ecb47d0d', u'name': u'websso-domain1'}, u'id': u'8d344d1178964026b20be32438b484be', u'name': u'websso-project1'}, u'is_domain': None, 'user_id': u'7e93953eda38423f919d83da2544c683', 'expires': datetime.datetime(2018, 3, 24, 0, 24, 8), u'token_data': {u'token': {u'is_domain': False, u'service_providers': [{u'sp_url': u'https://mytest:5000/Shibboleth.sso/SAML2/ECP', u'auth_url': u'https://mytest:5000/v3', u'id': u'ks-sp-server'}], u'methods': [u'token', u'saml2'], u'roles': [{u'domain_id': None, u'id': u'9fe2ff9ee4384b1894a90878d3e92bab', u'name': u'_member_'}], u'is_admin_project': False, u'project': {u'domain': {u'id': u'6c30c2dba285403e8aa70de9ecb47d0d', u'name': u'websso-domain1'}, u'id': u'8d344d1178964026b20be32438b484be', u'name': u'websso-project1'},
...
Looking at the code, it appears we never rebuild federated token roles for UUID (persistence) tokens.
https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L610
We only do that for Fernet (non-persistence) tokens.
https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L635
Consequently, when we try to glue the token data together, the roles are being rebuilt as if the token is a regular token which result in role assignment not found.
https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L649
https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L418
https://github.com/openstack/keystone/blob/stable/pike/keystone/token/providers/common.py#L344
Step to reproduce:
1. Follow the Keystone Doc to setup WebSSO and use UUID token provider.
2. Login from Horizon
3. After successfully logged in, you'll see all kinds of "Unable to retrieve ..." messages from
Horizon. Basically, Horizon is unable to use the federated token to retrieve users resources (i.e. compute, network, etc)
I presume this bug impact Queens and older releases as UUID token provider is a goner for master.