Comment 7 for bug 1750843

The usage of the PySAML2 library in keystone is isolated to a single module dedicated to identity provider functionality [0], which would make sense if we're dealing with SAML assertions. From what I can tell after briefly refreshing myself with the code, is that we use the library to generate SAML assertions based on a user's token. Instead of authenticating for a token, a user authenticates *with* a token for a SAML assertion they can give to a service provider (e.g. keystone-to-keystone federation.

From what I can tell, and consulting with other keystone developers who are more familiar with this area of the code, it is a POST call used for authentication that only requires the ID of a token [1].

Regardless, it doesn't sound like upgrading the requirement would hurt?

[0] https://github.com/openstack/keystone/blob/8948050c03252853d406ddea157633550cb639e4/keystone/federation/idp.py
[1] https://developer.openstack.org/api-ref/identity/v3-ext/index.html#generate-a-saml-assertion