We use Shibboleth for single sign-on with Plone and have been using Products.WebServerAuth to that end for several years. This product is ancient and we have gradually replaced parts of it to suit our specific needs, simplify unneeded configuration, etc. At this point I am looking to replace it entirely with in house plugins and utilities and move any remaining configs needed into portal_registry where it can also be schema based.
My only real hold up is I do not understand what enumerateUsers is trying to do. It has a hell of a docstring. The tests are similarly wacky, to use their own term. I get that it is checking for the method that called it to see if it's getUserById, but I don't understand why. I don't really understand why a custom enumerateUsers would ever be needed (whether they are SSO authenticating or not, they are actual users in Plone) or if this plugin actually does anything at all at this point. Keep in mind some of this was written in 2011 for a very different version of Plone.
I don't use plone.openid but I bring this up because the comments in WSA mention it as an inspiration. That package also has a plugin for enumerateUsers. I took a look at that but understand the purpose there either. This package does seem to have some more recent development so perhaps it is more likely someone can at least explain what it is trying to do.