When visiting multiple SPs in a row, simpleSAMLphp correctly only checks the first factor (say, password) the first time and skips this if a session is already valid.
However, the authprocs get executed and with them, the WebAuthn module, so the second factor is always requested. This implies all the associated user interaction and reduces the value promise of SSO - logging in just once.
OTOH this is great for checking user presence; it protects against things like theft of the session cookie by an attacker.
So this is somewhere between a bug and a feature IMHO. Maybe it should be made configurable whether or not the second factor is only asked together with the first factor or every time.
When visiting multiple SPs in a row, simpleSAMLphp correctly only checks the first factor (say, password) the first time and skips this if a session is already valid.
However, the authprocs get executed and with them, the WebAuthn module, so the second factor is always requested. This implies all the associated user interaction and reduces the value promise of SSO - logging in just once.
OTOH this is great for checking user presence; it protects against things like theft of the session cookie by an attacker.
So this is somewhere between a bug and a feature IMHO. Maybe it should be made configurable whether or not the second factor is only asked together with the first factor or every time.