diff --git a/lib/Auth/Process/GetMfaTokensPrivacyIDEA.php b/lib/Auth/Process/GetMfaTokensPrivacyIDEA.php
index b3f272f7dd83427bcc854cbbbb456a72cc62a59d..8130aee9f6499d6cf79fd0e045efff571f261d28 100644
--- a/lib/Auth/Process/GetMfaTokensPrivacyIDEA.php
+++ b/lib/Auth/Process/GetMfaTokensPrivacyIDEA.php
@@ -67,7 +67,7 @@ class GetMfaTokensPrivacyIDEA extends \SimpleSAML\Auth\ProcessingFilter
         $state[Authswitcher::PRIVACY_IDEA_FAIL] = false;
         $state['Attributes'][$this->tokens_attr] = [];
         $admin_token = $this->getAdminToken();
-        if (null === $admin_token) {
+        if (empty($admin_token)) {
             $state[AuthSwitcher::PRIVACY_IDEA_FAIL] = true;
 
             return;
@@ -134,7 +134,7 @@ class GetMfaTokensPrivacyIDEA extends \SimpleSAML\Auth\ProcessingFilter
         return $response['result']['value']['token'];
     }
 
-    private function getPrivacyIdeaTokensByType($state, $type, $admin_token)
+    private function getPrivacyIdeaTokensByType(&$state, $type, $admin_token)
     {
         $ch = curl_init();
         curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $this->connect_timeout);
diff --git a/lib/Auth/Process/SwitchAuth.php b/lib/Auth/Process/SwitchAuth.php
index 1fdf924a521a9aada24de67e442f16a6ef1435d2..1e55fd25f130d0ee713eb3c091901c55f6f88cbe 100644
--- a/lib/Auth/Process/SwitchAuth.php
+++ b/lib/Auth/Process/SwitchAuth.php
@@ -122,22 +122,19 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
 
         self::info('supported requested contexts: ' . json_encode($state[AuthSwitcher::SUPPORTED_REQUESTED_CONTEXTS]));
 
-        if (
-            $this->mfa_preferred_privacyidea_fail && isset($state[AuthSwitcher::PRIVACY_IDEA_FAIL]) &&
-            $state[AuthSwitcher::PRIVACY_IDEA_FAIL] &&
-            AuthnContextHelper::isMFAprefered($state[Authswitcher::SUPPORTED_REQUESTED_CONTEXTS]) &&
-            !AuthnContextHelper::MFAin([$upstreamContext])
-        ) {
-            throw new Exception(self::DEBUG_PREFIX . 'MFA is preferred but connection to privacyidea failed.');
-        }
-
-        // switch to MFA if enforced or preferred but not already done if we handle the proxy mode
-        $performMFA = AuthnContextHelper::MFAin($usersCapabilities) && !AuthnContextHelper::MFAin([
+        $shouldPerformMFA = !AuthnContextHelper::MFAin([
             $upstreamContext,
         ]) && ($this->mfa_enforced || AuthnContextHelper::isMFAprefered(
             $state[AuthSwitcher::SUPPORTED_REQUESTED_CONTEXTS]
         ));
 
+        if ($this->mfa_preferred_privacyidea_fail && !empty($state[AuthSwitcher::PRIVACY_IDEA_FAIL]) && $shouldPerformMFA) {
+            throw new Exception(self::DEBUG_PREFIX . 'MFA should be performed but connection to privacyidea failed.');
+        }
+
+        // switch to MFA if enforced or preferred but not already done if we handle the proxy mode
+        $performMFA = AuthnContextHelper::MFAin($usersCapabilities) && $shouldPerformMFA;
+
         $maxUserCapability = '';
         if (in_array(AuthSwitcher::MFA, $usersCapabilities, true)) {
             $maxUserCapability = AuthSwitcher::MFA;