I think that's the issue - the API shows that multiple tenants can be scoped in a token as shown in token.xsd:
<sequence> <element name="tenant" type="identity:TenantForAuthenticateResponse"/>
<any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded" />
</sequence>
But Keystone only allows one tenant for the token.
I think that's the issue - the API shows that multiple tenants can be scoped in a token as shown in token.xsd:
<element name="tenant" type="identity: TenantForAuthen ticateResponse" /> ="lax" minOccurs="0" maxOccurs= "unbounded" />
<sequence>
<any namespace="##other" processContents
</sequence>
But Keystone only allows one tenant for the token.
FYI - this is the issue that Paul Q brought up