laclaro
commented
3 years ago Since https://github.com/privacyidea/simplesamlphp-module-privacyidea/commit/62973e46874c05da91253c050c3c68ae607ed055 we support isPassive requests. However, we cannot easily extend this code to use it for SSO, since variable set by by
$session->setData('privacyidea:privacyidea', 'authenticated', true);is not properly cleaned on logout. This causes the 2FA prompt to be bypassed even after logout and another login in the same browser window.
-
Solution 1 The plugin has to be able to detect a logout request triggering the cleanup of the authenticated variable
-
Solution 2 The authenticated variable has to be stored somewhere so that it is automatically cleaned on logout
At the moment the plugin does not support SSO if configured as authproc filter. So if the user is already authenticated, our authproc filter will be activated whenever the user visits a new service provider. This means that the authsource (e.g. LDAP) is skipped but the 2nd factor login is shown again.
Since SAML is usually used to realize Single Sign-On, we should also default to accept a valid assertion and skip the 2FA promt in this case.
One attempt to implement this has been made in PR #80. We will extend the code introduced by PR #91 and implement SSO to be configurable with a default "enabled" behavior.