feat: user without tokens is redirected to new page, when mfa is enforced

I tested, that tokens with expired failcounter are still considered as active. Because of this, I think that we do not need to modify "active=true" filter when getting tokens from privacyidea.

lib/Auth/Process/SwitchAuth.php

@@ -136,7 +136,7 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
 
         if (
             $mfaEnforced && empty($state['Attributes'][AuthSwitcher::MFA_TOKENS]) &&
-            !in_array($this->entityID, $this->mfa_excluded_sps)
+            !in_array($this->entityID, $this->mfa_excluded_sps) && !empty($this->setup_mfa_redirect_url)
         ) {
             $url = Module::getModuleURL(self::SETUP_MFA_URL);
             $params = [];