diff --git a/lib/Auth/Process/privacyidea.php b/lib/Auth/Process/privacyidea.php
index 8cc5c40eda32661ba95b853ddb6a7fe506142961..8e72d937c12d18426b6b26bacfd6053a6317d336 100644
--- a/lib/Auth/Process/privacyidea.php
+++ b/lib/Auth/Process/privacyidea.php
@@ -62,6 +62,14 @@ class sspmod_privacyidea_Auth_Process_privacyidea extends SimpleSAML_Auth_Proces
             );
             return;
         }
+
+        if (isset($state['isPassive']) && $state['isPassive'] === true) {
+            if (SimpleSAML_Session::getSessionFromRequest()->getData('privacyidea:privacyidea', 'authenticated')) {
+                SimpleSAML_Logger::debug("privacyIDEA: ignore passive SAML request for already logged in user");
+                return;
+            }
+            throw new \SimpleSAML\Module\saml\Error\NoPassive('Passive authentication (OTP) not supported.');
+        }
         if (!$this->serverconfig['privacyideaserver']) {SimpleSAML_Logger::error("privacyIDEA url is not set!");}
         if ($this->maybeTryFirstAuthentication($state)) {return;}
         if ($this->serverconfig['doTriggerChallenge']) {$state = $this->triggerChallenge($state);}
diff --git a/www/otpform.php b/www/otpform.php
index 59db8586e847957d2fc30c47a9ec881db2062849..083a55442b0f660a63ba6e29729aa2583ae50016 100644
--- a/www/otpform.php
+++ b/www/otpform.php
@@ -63,6 +63,8 @@
                         "regdata" => $registrationData
                     )
                 )) {
+					$session = SimpleSAML_Session::getSessionFromRequest();
+					$session->setData('privacyidea:privacyidea', 'authenticated', true);
 					SimpleSAML_Auth_State::saveState($state, 'privacyidea:privacyidea:init');
                     SimpleSAML_Logger::debug("Saved state privacyidea:privacyidea:init from otpform.php");
 					SimpleSAML_Auth_ProcessingChain::resumeProcessing($state);
@@ -70,7 +72,7 @@
 					SimpleSAML_Logger::debug("privacyIDEA: User entered wrong OTP");
 				}
 			} elseif ($state['privacyidea:privacyidea:authenticationMethod'] === "authsource") {
-				if (sspmod_privacyidea_Auth_Source_privacyidea::handleLogin($authStateId, $username, $password, $transaction_id, $signatureData, $clientData));
+				sspmod_privacyidea_Auth_Source_privacyidea::handleLogin($authStateId, $username, $password, $transaction_id, $signatureData, $clientData);
 			}
         } catch (SimpleSAML_Error_Error $e) {
             /* Login failed. Extract error code and parameters, to display the error. */
@@ -203,4 +205,4 @@
 
 	$tpl->show();
 	
-	?>
\ No newline at end of file
+	?>