keycloak and passive login handling

[a-schild]

We use Moodle 3.11.x together with keycloak 17.x When we try to use the "dual login" in passive mode, then the auth_saml2 module shows this error if the user is not already logged in:

SAML2 exception: Responder/NoPassive

[More information about this error](http://docs.moodle.org/311/en/error/auth_saml2/exception)

×Debug info: #0 [dirroot]/auth/saml2/.extlib/simplesamlphp/modules/saml/www/sp/saml2-acs.php(148): SimpleSAML\Module\saml\Error->toException()
#1 [dirroot]/auth/saml2/sp/saml2-acs.php(34): require('[dirroot]/a...')
#2 {main}
Error code: exception
×Stack trace:
line 36 of /auth/saml2/sp/saml2-acs.php: saml2_exception thrown

As far as I did understand, the passive mode in SAML tells the idp to try to login the user without interaction, if that fails (because not yet logged in) then the normal login flow should be initiated by the client (moodle)

Most of our users are already logged in in the idp via a dashboard/portal, so we would like to skip the login dialog in Moodle in those cases. The auto login is set to "Check once per session", all other setings are on default.

Why the auth_saml2 module shows this as an error in that step is not clear to me, or how we can prevent this happening.

[almadog]

Having the same problem with Moodle 3.11.7 and AAD when passive mode is enabled.

"AADSTS50058: A silent sign-in request was sent but no user is signed in."