diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp
new file mode 100644
index 00000000..8b37619c
--- /dev/null
+++ b/manifests/keystone/auth.pp
@@ -0,0 +1,89 @@
+# == Class: designate::keystone::auth
+#
+# Configures designate user, service and endpoint in Keystone.
+#
+# === Parameters
+#
+# [*password*]
+#   Password for designate user. Required.
+#
+# [*email*]
+#   Email for designate user. Optional. Defaults to 'designate@localhost'.
+#
+# [*auth_name*]
+#   Username for designate service. Optional. Defaults to 'designate'.
+#
+# [*configure_endpoint*]
+#   Should designate endpoint be configured? Optional. Defaults to 'true'.
+#
+# [*service_type*]
+#    Type of service. Optional. Defaults to 'metering'.
+#
+# [*public_address*]
+#    Public address for endpoint. Optional. Defaults to '127.0.0.1'.
+#
+# [*admin_address*]
+#    Admin address for endpoint. Optional. Defaults to '127.0.0.1'.
+#
+# [*internal_address*]
+#    Internal address for endpoint. Optional. Defaults to '127.0.0.1'.
+#
+# [*port*]
+#    Port for endpoint. Optional. Defaults to '8777'.
+#
+# [*region*]
+#    Region for endpoint. Optional. Defaults to 'RegionOne'.
+#
+# [*tenant*]
+#    Tenant for designate user. Optional. Defaults to 'services'.
+#
+# [*protocol*]
+#    Protocol for public endpoint. Optional. Defaults to 'http'.
+#
+class designate::keystone::auth (
+  $password           = false,
+  $email              = 'designate@localhost',
+  $auth_name          = 'designate',
+  $service_type       = 'dns',
+  $public_address     = '127.0.0.1',
+  $admin_address      = '127.0.0.1',
+  $internal_address   = '127.0.0.1',
+  $port               = '9001',
+  $region             = 'RegionOne',
+  $tenant             = 'services',
+  $public_protocol    = 'http',
+  $admin_protocol     = 'http',
+  $internal_protocol  = 'http',
+  $version            = 'v1',
+  $configure_endpoint = true
+) {
+
+
+  Keystone_user_role["${auth_name}@${tenant}"] ~>
+    Service <| name == 'designate-api' |>
+
+  keystone_user { $auth_name:
+    ensure   => present,
+    password => $password,
+    email    => $email,
+    tenant   => $tenant,
+  }
+  keystone_user_role { "${auth_name}@${tenant}":
+    ensure  => present,
+    roles   => 'admin',
+  }
+  keystone_service { $auth_name:
+    ensure      => present,
+    type        => $service_type,
+    description => 'Openstack DNSaas Service',
+  }
+  if $configure_endpoint {
+    keystone_endpoint { "${region}/${auth_name}":
+      ensure       => present,
+      public_url   => "${public_protocol}://${public_address}:${port}/${version}",
+      admin_url    => "${admin_protocol}://${admin_address}:${port}/${version}",
+      internal_url => "${internal_protocol}://${internal_address}:${port}/${version}",
+    }
+  }
+}
+