Comment 2 for bug 1828783

The vague error message from keystone is intentional. We can't give more details about the cause of the failed authentication or authorization issue without exposing information an attacker could use to target the system.

If you are in a non-production test environment, you can set [DEFAULT]/insecure_debug to true in keystone which will provide proper error messages and allow you to debug your mapping while you are setting it up, but you must disable it before moving to production for the above reasons.