fix: correct no tokens redirect

lib/Auth/Process/SwitchAuth.php

@@ -137,18 +137,23 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
         $upstreamContext = $this->proxyMode ? ProxyHelper::fetchContextFromUpstreamIdp($state) : null;
 
         if (
-            ($mfaEnforced || (
+            ($mfaEnforced ||
+            (
                 $this->authnContextHelper->MFAin($state['saml:RequestedAuthnContext']['AuthnContextClassRef'] ?? []) &&
                 !$this->authnContextHelper->SFAin($state['saml:RequestedAuthnContext']['AuthnContextClassRef'] ?? []) &&
-                !($this->proxyMode && $upstreamContext && $this->authnContextHelper->MFAin([$upstreamContext]))
-            ))
-            && empty($state['Attributes'][AuthSwitcher::MFA_TOKENS]) &&
-            !in_array($this->entityID, $this->mfa_excluded_sps) && !empty($this->setup_mfa_redirect_url)
+                !($this->proxyMode &&
+                $upstreamContext &&
+                $this->authnContextHelper->MFAin([$upstreamContext]))
+            )) &&
+            empty($state['Attributes'][AuthSwitcher::MFA_TOKENS]) &&
+            !in_array($this->entityID, $this->mfa_excluded_sps) &&
+            !empty($this->setup_mfa_redirect_url)
         ) {
+            self::info('user must perform MFA but has no tokens, redirect to setup');
             $url = Module::getModuleURL(self::SETUP_MFA_URL);
-            $params = [];
-            $params[self::PARAM_MFA_REDIRECT_URL] = $this->setup_mfa_redirect_url;
-            HTTP::redirectTrustedURL($url, $params);
+            $state[self::PARAM_MFA_REDIRECT_URL] = $this->setup_mfa_redirect_url;
+            $stateId = State::saveState($state, 'authswitcher:authswitcher');
+            HTTP::redirectTrustedURL($url, ['stateId' => $stateId]);
         }
 
         self::info('user capabilities: ' . json_encode($usersCapabilities));