I am still unable to create this the directions supplied in the description. I started with a fresh installation and did the following: 1.) installed keystone from source @ 239bc3627cfb0546148e9d496f9e1536057052a7 2.) recreated the database and populated it with data 3.) source the administrator's account $ source rcfiles/adminrc $ cat rcfiles/adminrc export OS_AUTH_URL=http://127.0.0.1:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_USERNAME=admin export OS_PASSWORD=password export OS_PROJECT_NAME=admin export OS_DEFAULT_DOMAIN=default 4.) created a federated domain $ openstack domain create federated_domain +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | | | enabled | True | | id | 50dfec355794433f8c88fdc69b836d25 | | name | federated_domain | +-------------+----------------------------------+ 5.) created a group for federated users $ openstack group create federated_users +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | | | domain_id | default | | id | c309cb3466854b61b6616fa68694040f | | name | federated_users | +-------------+----------------------------------+ 6.) granted the federated group the admin role on the federated domain $ openstack role add --group federated_users --domain federated_domain admin $ openstack role assignment list -f yaml --names - Domain: '' Group: '' Inherited: false Project: admin@Default Role: admin User: admin@Default - Domain: federated_domain Group: federated_users@Default Inherited: false Project: '' Role: admin User: '' 7.) created an identity provider $ openstack identity provider create --remote-id https://accounts.google.com myidp +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | None | | domain_id | 6079116d115d407a94bb6ad109305e43 | | enabled | True | | id | myidp | | remote_ids | https://accounts.google.com | +-------------+----------------------------------+ 8.) created a mapping $ cat rules.json [ { "local": [ { "user": { "name": "{0}" }, "group": { "domain": { "name": "Default" }, "name": "federated_users" } } ], "remote": [ { "type": "HTTP_OIDC_EMAIL" } ] } ] $ openstack mapping create --rules rules.json myidp_mapping +-------+--------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-------+--------------------------------------------------------------------------------------------------------------------------+ | id | myidp_mapping | | rules | [{u'remote': [{u'type': u'HTTP_OIDC_EMAIL'}], u'local': [{u'group': {u'domain': {u'name': u'Default'}, u'name': | | | u'federated_users'}, u'user': {u'name': u'{0}'}}]}] | +-------+--------------------------------------------------------------------------------------------------------------------------+ 9.) create a protocol $ openstack federation protocol create mapped --mapping myidp_mapping --identity-provider myidp +-------------------+---------------+ | Field | Value | +-------------------+---------------+ | id | mapped | | identity_provider | myidp | | mapping | myidp_mapping | +-------------------+---------------+ I was able to delete and recreate the mapping without issue. Is there something in a separate rules file when creating the second mapping? Marking this as invalid for now. Please feel free to reopen if there is more information that helps clarify how to recreate this.