When authenticating a user via federation, a federated_user entry is created in keystone's database, an example of such entry is below:
mysql> select * from federated_user;
+----+----------------------------------+----------+-------------+-----------------------+---------------------+
| id | user_id | idp_id | protocol_id | unique_id | display_name |
+----+----------------------------------+----------+-------------+-----------------------+---------------------+
| 1 | 15ddf8fda20842c68b99999b6d91d1a7 | testshib | mapped | myself%40testshib.org | <email address hidden> |
+----+----------------------------------+----------+-------------+-----------------------+---------------------+
The federated_user_protocol_id foreign key prevents the protocol deletion:
Details: An unexpected error prevented the server from fulfilling your request: (pymysql.err.IntegrityError) (1451, u'Cannot delete or update a parent row: a foreign key constraint fails (`keystone`.`federated_user`, CONSTRAINT `federated_user_protocol_id_fkey` FOREIGN KEY (`protocol_id`, `idp_id`) REFERENCES `federation_protocol` (`id`, `idp_id`))') [SQL: u'DELETE FROM federation_protocol WHERE federation_protocol.id = %(id)s AND federation_protocol.idp_id = %(idp_id)s'] [parameters: {'idp_id': u'testshib', 'id': u'mapped'}]
This can be also happening with the "idp_id" column as well.
This prevents automated tests like [1] to properly work, since it creates and destroys the identity provider, mapping and protocol during its execution.
[1] https://review.openstack.org/#/c/324769/
I would expect that the shadow user table would refer to the protocol via that key. In order to delete the protocol, we would need to delete all the entries that came in via that protocol. This should be possible with a cascading delete. But we might need to make this deliberate inside the Keystone Federation code.