Could tyk be configured to support Keystone identity provider and use tyk to manage users and projects in Keystone? I note that Keystone makes use of Saml2. If possible having an api gateway in front of Openstack and exposing api endpoints based on one’s own release schedule would be amazing.
You could look into our Tyk Identity Broker, which is designed so that pluggable front-ends can be added to it that perform various actions inside a Tyk stack such as token creation. You could add a SAML2 validator or a Keystone-compatible API identity provider that validates a request against Keystone and then trades the validation for a valid Tyk key.
This would be the simplest thing to do get Keystone to provide credentials to Tyk (Dashboard, Portal or tokens). Actually remoting Keystone from within Tyk might be a little trickier.