Thanks for asking, Lance. 
Yep. The steps are used to create SSO (Single Sign on) for using Google Account to login on OpenStack. 
The steps seem not a few. They are as below. 

[Environment] CentOS 7.3 

1. Login on "Google Developers Console", and set up your own project, which is a "web application". 
   Note: 
   1> After the project is created successfully, write down the "client ID" and "client secret". They will be used later. 
   2> Set "http://demo.sso.org:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect" to "the authorized redirected URL"
   
2. Set up a PackStack. 

3. Run the commands below in the PackStack: 
   
   source ~/keystonerc_admin
   openstack group create --domain default --description "Federation User Group" federation_group
   openstack project create --domain default --description "Federation Demo Project" federation_demo_project
   openstack role add --domain default --group federation_group admin
   openstack role add --project federation_demo_project --group federation_group admin
   openstack identity provider create google --remote-id https://accounts.google.com
   
   cat > /tmp/google-mapping-rules.json <<EOF
[
    {
        "local": [
            {
                "group": {
                    "id": "xxx"  # Note, this is the group id created by the second command above
                }
            }
        ],
 
        "remote": [
            {
                "type": "HTTP_OIDC_ISS",
                "any_one_of": [
                    "https://accounts.google.com"
                ]
            }
        ]
    }
]
EOF

   openstack mapping create google-idp-mapping --rules ./google-mapping-rules.json
   openstack federation protocol create oidc --identity-provider google --mapping google-idp-mapping
   
4. Append/Add the following to the proper section of /etc/keystone.conf 

    [auth]
    # Allowed authentication methods. (list value)
    methods = external,password,token,oauth1,oidc
    oidc = keystone.auth.plugins.mapped.Mapped

    [federation]
    # Value to be used to obtain the entity ID of the Identity Provider from the
    # environment (e.g. if using the mod_shib plugin this value is `Shib-Identity-
    # Provider`). (string value)
    remote_id_attribute = HTTP_OIDC_ISS
    trusted_dashboard = http://demo.sso.org/dashboard/auth/websso/

5. Install mod_auth_openidc module for Apache
   Commands are like below: 
   
    wget https://github.com/pingidentity/mod_auth_openidc/releases/download/v2.3.0/cjose-0.5.1-1.el7.centos.x86_64.rpm
    wget https://github.com/pingidentity/mod_auth_openidc/releases/download/v2.3.0/mod_auth_openidc-2.3.0-1.el7.centos.x86_64.rpm
    wget http://springdale.math.ias.edu/data/puias/unsupported/6/x86_64/hiredis-0.12.1-1.sdl6.x86_64.rpm

    yum localinstall -y ./cjose-0.5.1-1.el7.centos.x86_64.rpm
    yum localinstall -y ./hiredis-0.12.1-1.sdl6.x86_64.rpm
    yum localinstall -y ./mod_auth_openidc-2.3.0-1.el7.centos.x86_64.rpm
    
6. Add the following content to /etc/httpd/conf.d/10-keystone_wsgi_main.conf

    <VirtualHost *:5000>
        ...
        
        OIDCClaimPrefix "OIDC-"
        OIDCResponseType "id_token"
        OIDCScope "openid email profile"
        OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
        OIDCClientID 414761336251-rd0s8re8lof053658g0eaphlho82kutv.apps.googleusercontent.com
        OIDCClientSecret oofUOIsUaGcqXb-i9Wy-zLKG
        OIDCCryptoPassphrase openstack
        OIDCRedirectURI http://demo.sso.org:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect
        <Location ~ "/v3/auth/OS-FEDERATION/websso/oidc">
            AuthType openid-connect
            Require valid-user
            LogLevel debug
        </Location>
        
        ...
    </VirtualHost> 
    
7. Append the following to /etc/openstack-dashboard/local_settings

    # Enables keystone web single-sign-on if set to True.
    WEBSSO_ENABLED = True
    WEBSSO_CHOICES = (
     ("credentials", _("Keystone Credentials")),
     ("oidc", _("OpenID Connect"))
    )
    WEBSSO_INITIAL_CHOICE = "credentials"
    
8. Run: 
    systemctl restart httpd
    
9. Configure the hosts file your laptop (the client to access OpenStack)
   For example, if it's Windows, then modify C:\Windows\System32\drivers\etc\hosts 
   Add the following line:
   
   <the OpenStack Controller node IP>  demo.sso.org

    
10. Use your favourate web browser to access http://demo.sso.org 

Then, keep watching /var/log/keystone/keystone.log, you will find a KeyError about user['name'] will be raised when you try to access OpenStack via your Google account.