Fix passive requests in auth proc filter.

When a passive SAML request (<samlp:AuthnRequest IsPassive="true">) is
received a "urn:oasis:names:tc:SAML:2.0:status:NoPassive" status error
is expected (instead of a login form).
The privacyidea plugin must not ask for a OTP in this case.
As a auth proc filter is executed after being authenticated we have to store
that also the OTP authentication succeeded in the session (otherwise one
can bypass OTP check (with passive requests, which are e.g. used by
Univention Corporate Server's Management Console) while one is not logged in)