diff --git a/playbooks/roles/bifrost-ironic-install/defaults/main.yml b/playbooks/roles/bifrost-ironic-install/defaults/main.yml
index abd6a7c66..58d3bf061 100644
--- a/playbooks/roles/bifrost-ironic-install/defaults/main.yml
+++ b/playbooks/roles/bifrost-ironic-install/defaults/main.yml
@@ -350,7 +350,7 @@ keystone:
     username: "{{ admin_username }}"
     password: "{{ admin_password }}"
     project_name: admin
-    admin_url: "{{ api_protocol }}://{{ internal_ip }}:35357/v3/"
+    admin_url: "{{ keystone_api_url }}"
     public_url: "{{ keystone_api_url }}"
     internal_url: "{{ api_protocol }}://127.0.0.1:5000/v3/"
     region_name: "RegionOne"
diff --git a/playbooks/roles/bifrost-keystone-install/README.md b/playbooks/roles/bifrost-keystone-install/README.md
index bec702968..8e1f05d7e 100644
--- a/playbooks/roles/bifrost-keystone-install/README.md
+++ b/playbooks/roles/bifrost-keystone-install/README.md
@@ -56,9 +56,9 @@ Below is the full data structure.
       username: admin
       password: ChangeThisPa55w0rd
       project_name: admin
-      admin_url: "http://127.0.0.1:35357/v2.0/"
-      public_url: "http://127.0.0.1:5000/v2.0/"
-      internal_url: "http://127.0.0.1:5000/v2.0/"
+      admin_url: "http://127.0.0.1:5000/v3/"
+      public_url: "http://127.0.0.1:5000/v3/"
+      internal_url: "http://127.0.0.1:5000/v3/"
       region_name: "RegionOne"
     message_queue:
       username: keystone
diff --git a/playbooks/roles/bifrost-keystone-install/defaults/main.yml b/playbooks/roles/bifrost-keystone-install/defaults/main.yml
index bf1270db1..cdce331b6 100644
--- a/playbooks/roles/bifrost-keystone-install/defaults/main.yml
+++ b/playbooks/roles/bifrost-keystone-install/defaults/main.yml
@@ -69,7 +69,7 @@ keystone:
     username: "{{ admin_username }}"
     password: "{{ admin_password }}"
     project_name: admin
-    admin_url: "{{ api_protocol }}://{{ internal_ip }}:35357/v3/"
+    admin_url: "{{ keystone_api_url }}"
     public_url: "{{ keystone_api_url }}"
     internal_url: "{{ api_protocol }}://127.0.0.1:5000/v3/"
     region_name: "RegionOne"
diff --git a/playbooks/roles/bifrost-keystone-install/templates/nginx_conf.d_bifrost-keystone.conf.j2 b/playbooks/roles/bifrost-keystone-install/templates/nginx_conf.d_bifrost-keystone.conf.j2
index 808a8dd51..b8f91984b 100644
--- a/playbooks/roles/bifrost-keystone-install/templates/nginx_conf.d_bifrost-keystone.conf.j2
+++ b/playbooks/roles/bifrost-keystone-install/templates/nginx_conf.d_bifrost-keystone.conf.j2
@@ -15,6 +15,7 @@ server {
         uwsgi_param SCRIPT_NAME '';
     }
 }
+{# TODO(dtantsur): remove the separate admin endpoint after Xena #}
 server {
 {% if enable_tls | bool %}
     listen 35357 ssl;
diff --git a/releasenotes/notes/keystone-admin-9eadd531de3f20ce.yaml b/releasenotes/notes/keystone-admin-9eadd531de3f20ce.yaml
new file mode 100644
index 000000000..2b4735163
--- /dev/null
+++ b/releasenotes/notes/keystone-admin-9eadd531de3f20ce.yaml
@@ -0,0 +1,10 @@
+---
+upgrade:
+  - |
+    The ``admin`` Keystone endpoint will be upgraded from using port 35357
+    (a separate admin API) to use port 5000 (the default Identity API).
+deprecations:
+  - |
+    The separate Keystone admin API (served at port 35357) is deprecated and
+    will be removed in a future release. Please update your applications to
+    refer to port 5000 only for Keystone operations.