diff --git a/ansible/roles/keystone/defaults/main.yml b/ansible/roles/keystone/defaults/main.yml
index 887e59ea00..1945142c48 100644
--- a/ansible/roles/keystone/defaults/main.yml
+++ b/ansible/roles/keystone/defaults/main.yml
@@ -234,6 +234,7 @@ keystone_enable_federation_openid: "{{ enable_keystone_federation | bool and key
 keystone_should_remove_attribute_mappings: False
 keystone_should_remove_identity_providers: False
 keystone_federation_oidc_response_type: "id_token"
+keystone_federation_oidc_claim_delimiter: ";"
 keystone_federation_oidc_scopes: "openid email profile"
 
 # OIDC caching
diff --git a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
index 26ffe493e9..d8db570257 100644
--- a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
+++ b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
@@ -59,7 +59,7 @@ LogLevel info
 
 {% if keystone_enable_federation_openid | bool %}
     OIDCClaimPrefix "OIDC-"
-    OIDCClaimDelimiter ";"
+    OIDCClaimDelimiter "{{ keystone_federation_oidc_claim_delimiter }}"
     OIDCResponseType "{{ keystone_federation_oidc_response_type }}"
     OIDCScope "{{ keystone_federation_oidc_scopes }}"
     OIDCMetadataDir {{ keystone_container_federation_oidc_metadata_folder }}
diff --git a/releasenotes/notes/fix-hardcoded-oidc-claim-delimiter-06ca81b1fce0eba7.yaml b/releasenotes/notes/fix-hardcoded-oidc-claim-delimiter-06ca81b1fce0eba7.yaml
new file mode 100644
index 0000000000..4de0a0dfe9
--- /dev/null
+++ b/releasenotes/notes/fix-hardcoded-oidc-claim-delimiter-06ca81b1fce0eba7.yaml
@@ -0,0 +1,9 @@
+---
+fixes:
+  - |
+    Fixes an issue with setting up OIDC based Keystone federation against IDP
+    where there are multiple OIDC groups that are separated by a custom
+    delimiter.
+    Add a variable ``keystone_federation_oidc_claim_delimiter`` to set the
+    custom value.
+    `LP#2080394 <https://bugs.launchpad.net/bugs/2080394>`__