PAS enumerateUsers in WebServerAuth and plone.openid

We use Shibboleth for single sign-on with Plone and have been using Products.WebServerAuth to that end for several years. This product is ancient and we have gradually replaced parts of it to suit our specific needs, simplify unneeded configuration, etc. At this point I am looking to replace it entirely with in house plugins and utilities and move any remaining configs needed into portal_registry where it can also be schema based.

My only real hold up is I do not understand what enumerateUsers is trying to do. It has a hell of a docstring. The tests are similarly wacky, to use their own term. I get that it is checking for the method that called it to see if it's getUserById, but I don't understand why. I don't really understand why a custom enumerateUsers would ever be needed (whether they are SSO authenticating or not, they are actual users in Plone) or if this plugin actually does anything at all at this point. Keep in mind some of this was written in 2011 for a very different version of Plone.

I don't use plone.openid but I bring this up because the comments in WSA mention it as an inspiration. That package also has a plugin for enumerateUsers. I took a look at that but understand the purpose there either. This package does seem to have some more recent development so perhaps it is more likely someone can at least explain what it is trying to do.

Try to disable it and see what happen.

Right, there's no immediately obvious difference. But without knowing what this is supposed to do I can't be sure I'm testing areas it affects.

PluggableAuthService (short "PAS") is centered around plugins - associated with interfaces. In such a case, the interface is a primary location to look for documentation.

enumerateUsers belongs to Products.PluggableAuthService.interfaces.plugins.IUserEnumerationPlugin. Look there for a detailed description.