The usage of the PySAML2 library in keystone is isolated to a single module dedicated to identity provider functionality [0], which would make sense if we're dealing with SAML assertions. From what I can tell after briefly refreshing myself with the code, is that we use the library to generate SAML assertions based on a user's token. Instead of authenticating for a token, a user authenticates *with* a token for a SAML assertion they can give to a service provider (e.g. keystone-to-keystone federation.
From what I can tell, and consulting with other keystone developers who are more familiar with this area of the code, it is a POST call used for authentication that only requires the ID of a token [1].
Regardless, it doesn't sound like upgrading the requirement would hurt?
The usage of the PySAML2 library in keystone is isolated to a single module dedicated to identity provider functionality [0], which would make sense if we're dealing with SAML assertions. From what I can tell after briefly refreshing myself with the code, is that we use the library to generate SAML assertions based on a user's token. Instead of authenticating for a token, a user authenticates *with* a token for a SAML assertion they can give to a service provider (e.g. keystone- to-keystone federation.
From what I can tell, and consulting with other keystone developers who are more familiar with this area of the code, it is a POST call used for authentication that only requires the ID of a token [1].
Regardless, it doesn't sound like upgrading the requirement would hurt?
[0] https:/ /github. com/openstack/ keystone/ blob/8948050c03 252853d406ddea1 57633550cb639e4 /keystone/ federation/ idp.py /developer. openstack. org/api- ref/identity/ v3-ext/ index.html# generate- a-saml- assertion
[1] https:/