Thanks for the detailed bug report, I've managed to reproduce the issue.
The problem is not that the entries are duplicated in list output, that is just a symptom. The problem is that an ephemeral federated user is ending up being created in the local_user table, which should never happen. In this case, it's because your mapping has the "email" property in the user, and it's hitting this case:
It's running the update_user method on the identity sql driver. Even though the local user doesn't exist, since it's running against the user table, it successfully finds the shadow user:
Thanks for the detailed bug report, I've managed to reproduce the issue.
The problem is not that the entries are duplicated in list output, that is just a symptom. The problem is that an ephemeral federated user is ending up being created in the local_user table, which should never happen. In this case, it's because your mapping has the "email" property in the user, and it's hitting this case:
https:/ /opendev. org/openstack/ keystone/ src/commit/ f9a086e16599123 fba8a12c1c06bec 73565a0ebc/ keystone/ identity/ core.py# L1419-L1422
It's running the update_user method on the identity sql driver. Even though the local user doesn't exist, since it's running against the user table, it successfully finds the shadow user:
https:/ /opendev. org/openstack/ keystone/ src/commit/ f9a086e16599123 fba8a12c1c06bec 73565a0ebc/ keystone/ identity/ backends/ sql.py# L206
but then for some reason recreates the record in the local_user table:
https:/ /opendev. org/openstack/ keystone/ src/commit/ f9a086e16599123 fba8a12c1c06bec 73565a0ebc/ keystone/ identity/ backends/ sql.py# L210
So we'll need to fix that, rather than filter the output.
(For anyone else trying to reproduce this, it helps to disable keystone caching, otherwise the issue only appears intermittently.)