In keystone, when a user gets an unscoped token using a password and their username, the unscoped token response contains a method list. This method list will consist of ['password'], since it was the method used to obtain the token. When the user goes to scope their unscoped token to a project, the project scoped response will contain a method list of ['password', 'token'], since a password was used initially, and the unscoped token was also used as a form of authentication.
In federation, when a user gets an unscoped token from a valid SAML assertion, the unscoped response's method list will consist of ['saml2']. When the user goes to get a project scoped token, the project scoped response's method list will only contain ['saml2']. The 'token' entry is missing from the method list for rescoped federated tokens, despite using an unscoped token as a method of authentication.
This seems to be an inconsistency between the authentication API and the federated authentication API.
I've pushed a patch that exposes this bug here - https://review.openstack.org/#/c/229125/
Marking this as Low because the primary use case for the method list is to convey whether the token is multifactor or not. That's already obscured when the value is "saml2", so adding "token" doesn't add anything meaningful beyond a duplicated audit trail.