Comment 2 for bug 1541657

Here is how I created it:

Add the IdP:
~~~
# curl -k -H "X-Auth-Token: $OS_TOKEN" -X PUT https://myhost:5000/v3/OS-FEDERATION/identity_providers/my.idp.com -H "Content-Type: application/json" -d '{ "identity_provider": { "description": "My IDS","remote_ids": ["my.idp.com"],"enabled": true }}'
~~~

Add protocol for the my.idp.com provider:
~~~
# curl -k -H "X-Auth-Token: $OS_TOKEN" -X PUT https://myhost:5000/v3/OS-FEDERATION/identity_providers/my.idp.com/protocols/saml2 -H "Content-Type: application/json" -d '{"protocol": { "mapping_id": "saml_mapping"}}'
~~~

Create a group:
~~~
# openstack group create samlusers
~~~

Create a role assignment for a role + project + group combination:
~~~
# openstack role add --project MY_PROJECT --group samlusers _member_
~~~

Obtain the group id:
~~~
# group_id=`openstack group list|grep samlusers|awk '{print $2}'`
~~~

Prepare federation mapping rules configuration:
~~~
# cat > add-mapping.json
[
  {
    "local": [
      {
        "user": {
          "name": "{0}",
          "domain": {"name": "Default"}
        }
      },
      {
        "group": {
          "id": "GROUP_ID"
        }
      }
    ],
    "remote": [
      {
        "type": "REMOTE_USER"
      }
    ]
  }
]
(Press CTRL+D)
~~~

Add the group id to the mapping config:
~~~
# cat add-mapping.json|sed s^GROUP_ID^$group_id^ > /tmp/mapping.json
~~~

Create the federation mapping:
~~~
# openstack mapping create --rules /tmp/mapping.json saml_mapping
~~~

Create the federation protocol with the proper mapping:
~~~
# openstack federation protocol create --identity-provider my.idp.com --mapping saml_mapping saml2
~~~