Revert repoze.who for ckanext-saml2

[adborden]

So because of a version conflict, we don't have a single set of dependencies that work for development and production for Inventory. For production, we use saml2 authentication with max.gov which requires repoze.who==1.0.18 and for local development we need user/pass authentication and repoze.who==2.0.

In catalog-app, we basically work around this by installing repoze.who==2.0 for develop, anad repoze.who==1.0.18 for staging/production.

The better fix would be to get off our forks for pysaml2 and ckanext-saml2 and make sure they work with recent versions of repose.who GSA/data.gov#414.

Or, maybe we try to get saml2 working in local develop, but that feels like another work around.

[adborden]

In the short-term, to get CI passing, I think we'll want to install repoze.who==2.0 as part of the development/CI setup.

[adborden]

@jbrown-xentity @FuhuXia what do you think about this work around and the long term fix?

[jbrown-xentity]

So in my mind, this removed the possibility of letting pip overwrite the requirements-freeze.txt file. We would need to do a manual merge so as not to overwrite the comments and the repoze line. I can't think of a better way to manage this currently, just clarifying the process...

[adborden]

Yes, this is true. And this is also the case with catalog-app. I will clarify this in the documentation.

[jbrown-xentity]

Approving per discussion in comments. Will need to manage carefully.

[adborden]

I added a note in the README.