From bad4bf928d57806033d53bab1e7cc766b0d8eef0 Mon Sep 17 00:00:00 2001
From: Marek Denis <marek.denis@cern.ch>
Date: Wed, 23 Jul 2014 12:09:43 +0200
Subject: [PATCH] Enforce authenticated=False in saml2 plugin

All underlying HTTP calls executed via ``keystoneclient.session.Session``
object should have ``authenticated=False`` option enforced indicating the
plugin is not authenticated with the Identity Service yet.

Change-Id: I946f1ed6a55c4172d8f4bf6a24e5cbc3a00d1154
---
 keystoneclient/contrib/auth/v3/saml2.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/keystoneclient/contrib/auth/v3/saml2.py b/keystoneclient/contrib/auth/v3/saml2.py
index 947c1e78..be2b482f 100644
--- a/keystoneclient/contrib/auth/v3/saml2.py
+++ b/keystoneclient/contrib/auth/v3/saml2.py
@@ -137,7 +137,8 @@ class Saml2UnscopedToken(v3.AuthConstructor):
             return response
 
         location = response.headers['location']
-        return session.request(location, method, **kwargs)
+        return session.request(location, method, authenticated=False,
+                               **kwargs)
 
     def _first(self, _list):
         if len(_list) != 1:
@@ -244,7 +245,8 @@ class Saml2UnscopedToken(v3.AuthConstructor):
             self.identity_provider_url,
             headers={'Content-type': 'text/xml'},
             data=etree.tostring(idp_saml2_authn_request),
-            requests_auth=(self.username, self.password))
+            requests_auth=(self.username, self.password),
+            authenticated=False)
 
         try:
             self.saml2_idp_authn_response = etree.XML(idp_response.content)