diff --git a/lib/DiscoUtils.php b/lib/DiscoUtils.php
index 9f3a4668445e584aa2683315d1cca94b3ec758c2..967cfb5f41cf856ce6cb4eaac6b7368636ebbc2b 100644
--- a/lib/DiscoUtils.php
+++ b/lib/DiscoUtils.php
@@ -46,13 +46,24 @@ class DiscoUtils
$upstreamRequestedContexts = [];
if (empty($spRequestedContexts)) {
Logger::debug(self::DEBUG_PREFIX . 'No AuthnContextClassRef requested, not sending any to upstream IdP.');
- } elseif ($authnContextHelper->MFAin($spRequestedContexts)) {
- Logger::debug(self::DEBUG_PREFIX . 'SP requested MFA, will prefer MFA at upstream IdP.');
+ } elseif ($authnContextHelper->MFAin($spRequestedContexts) && !$authnContextHelper->SFAin($spRequestedContexts)) {
+ Logger::debug(self::DEBUG_PREFIX . 'SP requires MFA, will prefer MFA at upstream IdP.');
+ $upstreamRequestedContexts = array_values(
+ array_unique(array_merge($mfa_contexts, $spRequestedContexts, $password_contexts))
+ );
+ } elseif (
+ $authnContextHelper->MFAin($spRequestedContexts)
+ && self::getMinIndex($spRequestedContexts, $mfa_contexts) < self::getMinIndex(
+ $spRequestedContexts,
+ $password_contexts
+ )
+ ) {
+ Logger::debug(self::DEBUG_PREFIX . 'SP prefers MFA, will prefer MFA at upstream IdP.');
$upstreamRequestedContexts = array_values(
array_unique(array_merge($mfa_contexts, $spRequestedContexts, $password_contexts))
);
} else {
- Logger::debug(self::DEBUG_PREFIX . 'SP did not request MFA, will prefer SFA at upstream IdP.');
+ Logger::debug(self::DEBUG_PREFIX . 'SP does not prefer MFA, will prefer SFA at upstream IdP.');
$upstreamRequestedContexts = array_values(
array_unique(array_merge($spRequestedContexts, $password_contexts, $mfa_contexts))
);
@@ -67,4 +78,12 @@ class DiscoUtils
$state['saml:RequestedAuthnContext']['AuthnContextClassRef'] = $upstreamRequestedContexts;
}
}
+
+ /**
+ * Returns first index in arr1 of any element from arr2
+ */
+ private static function getMinIndex($arr1, $arr2)
+ {
+ return min(array_keys(array_intersect($arr1, $arr2)));
+ }
}