Enforce authenticated=False in saml2 plugin

All underlying HTTP calls executed via ``keystoneclient.session.Session``
object should have ``authenticated=False`` option enforced indicating the
plugin is not authenticated with the Identity Service yet.

Change-Id: I946f1ed6a55c4172d8f4bf6a24e5cbc3a00d1154

keystoneclient/contrib/auth/v3/saml2.py

@@ -137,7 +137,8 @@ class Saml2UnscopedToken(v3.AuthConstructor):
             return response
 
         location = response.headers['location']
-        return session.request(location, method, **kwargs)
+        return session.request(location, method, authenticated=False,
+                               **kwargs)
 
     def _first(self, _list):
         if len(_list) != 1:
@@ -244,7 +245,8 @@ class Saml2UnscopedToken(v3.AuthConstructor):
             self.identity_provider_url,
             headers={'Content-type': 'text/xml'},
             data=etree.tostring(idp_saml2_authn_request),
-            requests_auth=(self.username, self.password))
+            requests_auth=(self.username, self.password),
+            authenticated=False)
 
         try:
             self.saml2_idp_authn_response = etree.XML(idp_response.content)