diff --git a/keystone/auth/plugins/external.py b/keystone/auth/plugins/external.py
index 67b1100167..c00c5cff35 100644
--- a/keystone/auth/plugins/external.py
+++ b/keystone/auth/plugins/external.py
@@ -57,8 +57,9 @@ def authenticate(self, context, auth_info, auth_context):
         auth_context is an in-out variable that will be updated with the
         username from the REMOTE_USER environment variable.
 
-        If REMOTE_USER contains an `@` assume that the substring before the @
-        is the username, and the substring after the @ is the domain name.
+        If REMOTE_USER contains an `@` assume that the substring before the
+        rightmost `@` is the username, and the substring after the @ is the
+        domain name.
         """
         try:
             REMOTE_USER = context['REMOTE_USER']
@@ -66,7 +67,7 @@ def authenticate(self, context, auth_info, auth_context):
             msg = _('No authenticated user')
             raise exception.Unauthorized(msg)
         try:
-            names = REMOTE_USER.split('@')
+            names = REMOTE_USER.rsplit('@', 1)
             username = names.pop(0)
             if names:
                 domain_name = names[0]
diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py
index 358b286cce..0b4248dc32 100644
--- a/keystone/tests/test_v3_auth.py
+++ b/keystone/tests/test_v3_auth.py
@@ -856,7 +856,18 @@ def test_remote_user_with_realm(self):
         api = auth.controllers.Auth()
         context = {'REMOTE_USER': '%s@%s' %
                    (self.user['name'], self.domain['name'])}
-        auth_info = auth.controllers.AuthInfo(None, auth_data)
+        auth_info = auth.controllers.AuthInfo(context, auth_data)
+        auth_context = {'extras': {}, 'method_names': []}
+        api.authenticate(context, auth_info, auth_context)
+        self.assertEqual(auth_context['user_id'], self.user['id'])
+
+        # Now test to make sure the user name can, itself, contain the
+        # '@' character.
+        user = {'name': 'myname@mydivision'}
+        self.identity_api.update_user(self.user['id'], user)
+        context = {'REMOTE_USER': '%s@%s' %
+                   (user['name'], self.domain['name'])}
+        auth_info = auth.controllers.AuthInfo(context, auth_data)
         auth_context = {'extras': {}, 'method_names': []}
         api.authenticate(context, auth_info, auth_context)
         self.assertEqual(auth_context['user_id'], self.user['id'])