Shibboleth doesn't recognize keystone IdP metadata

I have found that keystone to keystone (k2k) federation does not work in MOS 9.0

I have tested this configuration in MOS9.0 and in Devstack and I have the same errors.

How to reproduce:
1. Deploy two MOS 9.0 environments
Configure the first environment as follows (Keystone Idp):
2.1 Install the packages:
# sudo apt-get install xmlsec1
# sudo apt-get install python-pysaml2
2.2 Switch API to v3
echo export OS_AUTH_URL='http://192.168.122.124:5000/v3/' >> openrc
echo export OS_IDENTITY_API_VERSION=3 >> openrc
source openrc
2.3 Add the following line into /etc/keystone/keystone.conf:
certfile=/etc/keystone/ssl/certs/ca.pem
keyfile=/etc/keystone/ssl/private/cakey.pem
idp_entity_id=http://192.168.122.124:5000/v3/OS-FEDERATION/saml2/idp
idp_sso_endpoint=http://192.168.122.124:5000/v3/OS-FEDERATION/saml2/sso
idp_metadata_path=/etc/keystone/saml2_idp_metadata.xml
idp_organization_name = Mirantis
idp_organization_display_name = Mirantis Inc
idp_organization_url = http://mirantis.com/
2.4 Add the following lines into /etc/keystone/keystone-paste.ini:
[filter:federation_extension]
use = egg:keystone#federation_extension
[pipeline:api_v3]
pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension_v3 s3_extension federation_extension service_v3
2.5 keystone-manage db_sync --extension federation
2.6 Generate the IdP metadata:
keystone keystone-manage saml_idp_metadata > /etc/keystone/saml2_idp_metadata.xml
chown keystone:keystone /etc/keystone/saml2_idp_metadata.xml
2.7 Generate ssl:
keystone-manage pki_setup --rebuild --keystone-user keystone --keystone-group keystone
keystone-manage ssl_setup --rebuild --keystone-user keystone --keystone-group keystone
2.8 Restart Apache:
service apache2 restart

3. Configure the secondary environment as follows (Keystone SP):
3.1 Install Shibboleth module:
sudo apt-get install libapache2-mod-shib2
3.2 Add the following line into /etc/apache2/sites-enabled/05-keystone_wsgi_main.conf:
<VirtualHost 192.168.122.175:5000>
   …
   WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/lib/cgi-bin/keystone/keystone-public
   <Location /Shibboleth.sso>
      SetHandler shib
   </Location>
   <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
      ShibRequestSetting requireSession 1
      AuthType shibboleth
      ShibExportAssertion Off
      Require valid-user
   </LocationMatch>
3.3 Add the following lines into /etc/keystone/keystone.conf:
[auth]
methods = external,password,token,oauth1,saml2
saml2 = keystone.auth.plugins.mapped.Mapped
[saml2]
remote_id_attribute = Shib-Identity-Provider
[federation]
trusted_dashboard = http://192.168.122.175/horizon/auth/websso/
sso_callback_template = /etc/keystone/sso_callback_template.html
3.4 Configure Shibboleth SP.
Add the following lines into /etc/shibboleth/attribute-map.xml:
<Attribute name="openstack_user" id="openstack_user"/>
<Attribute name="openstack_roles" id="openstack_roles"/>
<Attribute name="openstack_project" id="openstack_project"/>
<Attribute name="openstack_user_domain" id="openstack_user_domain"/>
<Attribute name="openstack_project_domain" id="openstack_project_domain"/>
3.5 Edit the /etc/shibboleth/shibboleth2.xml file as follows:
<ApplicationDefaults entityID="http://192.168.122.124/identity">
    <SSO ECP="true" entityID="http://192.168.122.124:5000/v3/OS-FEDERATION/saml2/idp">
         SAML2 SAML1
    </SSO>
    <MetadataProvider type="XML" uri="http://192.168.122.124:5000/v3/OS-FEDERATION/saml2/metadata"/>
3.6 Start services:
sudo shib-keygen -y 10
sudo apache2 restart
sudo sudo a2enmod shib2

4. Configure IdP and SP in keystone:
4.1 Create mapping.json
[
  {
       "local": [
           {
               "group": {
                   "id": "federated"
               }
           }
       ],
       "remote": [
           {
               "type": "openstack_user",
               "any_one_of": [
                        "user1",
                        "admin"
               ]
           }
       ]
   }
]

4.2 Register group and mapping on Keystone.SP
openstack group create federated
openstack project create demo
openstack role add _member_ --group federated --project demo
openstack identity provider create idp1
openstack identity provider
openstack identity provider set --help
openstack identity provider set --remote-id http://192.168.122.124:5000/v3/OS-FEDERATION/identity_providers/idp1 idp1
openstack identity provider show idp1
openstack mapping create idp1_mapping --rules mapping1.json
openstack federation protocol create saml2 --identity-provider idp1 --mapping idp1_mapping
4.3 Add the following into /etc/openstack-dashboard/local_settings.py
WEBSSO_ENABLED = True
WEBSSO_CHOICES = (
  ("credentials", _("Keystone Credentials")),
  ("saml2", _("TestShib Identity")))
WEBSSO_INITIAL_CHOICE = "saml2"
OPENSTACK_API_VERSIONS={"identity":3}
OPENSTACK_KEYSTONE_URL = "http://192.168.122.154:5000/v3"
4.4 Restart apache
service apache2 restart
4.5 Create service provider in Keystone.IDP
openstack service provider create --auth-url http://192.168.122.175:5000/v3/OS-FEDERATION/identity_providers/idp1/protocols/saml2/auth --service-provider-url http://192.168.122.175:5000/Shibboleth.sso/SAML2/ECP —enable sp1

When we open Horizon and choose SAML, we get the following error:
2016-09-21 21:39:34 INFO Shibboleth.Listener : listener service starting
2016-09-21 22:04:47 WARN Shibboleth.SessionInitiator.SAML2 [1]: unable to locate compatible SSO service for provider (http://192.168.122.124:5000/v3/OS-FEDERATION/saml2/idp)
2016-09-21 22:04:47 INFO Shibboleth.SessionInitiator.Shib1 [1]: unable to locate Shibboleth-aware identity provider role for provider (http://192.168.122.124:5000/v3/OS-FEDERATION/saml2/idp)