diff --git a/lib/Auth/Process/privacyidea.php b/lib/Auth/Process/privacyidea.php index 8cc5c40eda32661ba95b853ddb6a7fe506142961..8e72d937c12d18426b6b26bacfd6053a6317d336 100644 --- a/lib/Auth/Process/privacyidea.php +++ b/lib/Auth/Process/privacyidea.php @@ -62,6 +62,14 @@ class sspmod_privacyidea_Auth_Process_privacyidea extends SimpleSAML_Auth_Proces ); return; } + + if (isset($state['isPassive']) && $state['isPassive'] === true) { + if (SimpleSAML_Session::getSessionFromRequest()->getData('privacyidea:privacyidea', 'authenticated')) { + SimpleSAML_Logger::debug("privacyIDEA: ignore passive SAML request for already logged in user"); + return; + } + throw new \SimpleSAML\Module\saml\Error\NoPassive('Passive authentication (OTP) not supported.'); + } if (!$this->serverconfig['privacyideaserver']) {SimpleSAML_Logger::error("privacyIDEA url is not set!");} if ($this->maybeTryFirstAuthentication($state)) {return;} if ($this->serverconfig['doTriggerChallenge']) {$state = $this->triggerChallenge($state);} diff --git a/www/otpform.php b/www/otpform.php index 59db8586e847957d2fc30c47a9ec881db2062849..083a55442b0f660a63ba6e29729aa2583ae50016 100644 --- a/www/otpform.php +++ b/www/otpform.php @@ -63,6 +63,8 @@ "regdata" => $registrationData ) )) { + $session = SimpleSAML_Session::getSessionFromRequest(); + $session->setData('privacyidea:privacyidea', 'authenticated', true); SimpleSAML_Auth_State::saveState($state, 'privacyidea:privacyidea:init'); SimpleSAML_Logger::debug("Saved state privacyidea:privacyidea:init from otpform.php"); SimpleSAML_Auth_ProcessingChain::resumeProcessing($state); @@ -70,7 +72,7 @@ SimpleSAML_Logger::debug("privacyIDEA: User entered wrong OTP"); } } elseif ($state['privacyidea:privacyidea:authenticationMethod'] === "authsource") { - if (sspmod_privacyidea_Auth_Source_privacyidea::handleLogin($authStateId, $username, $password, $transaction_id, $signatureData, $clientData)); + sspmod_privacyidea_Auth_Source_privacyidea::handleLogin($authStateId, $username, $password, $transaction_id, $signatureData, $clientData); } } catch (SimpleSAML_Error_Error $e) { /* Login failed. Extract error code and parameters, to display the error. */ @@ -203,4 +205,4 @@ $tpl->show(); - ?> \ No newline at end of file + ?>