Comment 4 for bug 1694589

I am still unable to create this the directions supplied in the description. I started with a fresh installation and did the following:

1.) installed keystone from source @ 239bc3627cfb0546148e9d496f9e1536057052a7
2.) recreated the database and populated it with data
3.) source the administrator's account

$ source rcfiles/adminrc
$ cat rcfiles/adminrc
export OS_AUTH_URL=http://127.0.0.1:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_USERNAME=admin
export OS_PASSWORD=password
export OS_PROJECT_NAME=admin
export OS_DEFAULT_DOMAIN=default

4.) created a federated domain

$ openstack domain create federated_domain
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| enabled | True |
| id | 50dfec355794433f8c88fdc69b836d25 |
| name | federated_domain |
+-------------+----------------------------------+

5.) created a group for federated users

$ openstack group create federated_users
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| id | c309cb3466854b61b6616fa68694040f |
| name | federated_users |
+-------------+----------------------------------+

6.) granted the federated group the admin role on the federated domain

$ openstack role add --group federated_users --domain federated_domain admin
$ openstack role assignment list -f yaml --names
- Domain: ''
  Group: ''
  Inherited: false
  Project: admin@Default
  Role: admin
  User: admin@Default
- Domain: federated_domain
  Group: federated_users@Default
  Inherited: false
  Project: ''
  Role: admin
  User: ''

7.) created an identity provider

$ openstack identity provider create --remote-id https://accounts.google.com myidp
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | 6079116d115d407a94bb6ad109305e43 |
| enabled | True |
| id | myidp |
| remote_ids | https://accounts.google.com |
+-------------+----------------------------------+

8.) created a mapping

$ cat rules.json
[
    {
        "local": [
            {
                "user": {
                    "name": "{0}"
                },
                "group": {
                    "domain": {
                        "name": "Default"
                    },
                    "name": "federated_users"
                }
            }
        ],
        "remote": [
            {
                "type": "HTTP_OIDC_EMAIL"
            }
        ]
    }
]
$ openstack mapping create --rules rules.json myidp_mapping
+-------+--------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-------+--------------------------------------------------------------------------------------------------------------------------+
| id | myidp_mapping |
| rules | [{u'remote': [{u'type': u'HTTP_OIDC_EMAIL'}], u'local': [{u'group': {u'domain': {u'name': u'Default'}, u'name': |
| | u'federated_users'}, u'user': {u'name': u'{0}'}}]}] |
+-------+--------------------------------------------------------------------------------------------------------------------------+

9.) create a protocol

$ openstack federation protocol create mapped --mapping myidp_mapping --identity-provider myidp
+-------------------+---------------+
| Field | Value |
+-------------------+---------------+
| id | mapped |
| identity_provider | myidp |
| mapping | myidp_mapping |
+-------------------+---------------+

I was able to delete and recreate the mapping without issue. Is there something in a separate rules file when creating the second mapping?

Marking this as invalid for now. Please feel free to reopen if there is more information that helps clarify how to recreate this.