Unfortunately the "local" type within the "local" section is not a matching rule. Only the keys in the "remote" section are matched, then they are mapped to attributes in the "local" section. If the user doesn't exist already in keystone, but still matches the remote rule '"type": "HTTP_GROUPS","any_one_of": [ "consumers" ]', it will be mapped to the first case, and then expect there to already be a local user. The matching can only be done based on remote attributes, not on local attributes.
Unfortunately the "local" type within the "local" section is not a matching rule. Only the keys in the "remote" section are matched, then they are mapped to attributes in the "local" section. If the user doesn't exist already in keystone, but still matches the remote rule '"type": "HTTP_GROUPS" ,"any_one_ of": [ "consumers" ]', it will be mapped to the first case, and then expect there to already be a local user. The matching can only be done based on remote attributes, not on local attributes.