Comment 4 for bug 1823847

I don't think it will work to have two local rules for one remote rule.

One possibility is to use the any_one_of condition in the remote rules to match particular user names, since you know which users are already local:

https://docs.openstack.org/keystone/latest/admin/federation/mapping_combinations.html#mapping-conditions

Then you could have the first rule match on those usernames, and the second rule be a catch-all for the rest. Would that work for you?