Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Done
-
None
-
None
Description
An authentication attempt using both the SAML and TOTP auth providers together cannot succeed. Depending on the order that the extensions are loaded, the behavior may be an infinite loop between SAML provider redirects and TOTP codes, or the login attempt will just fail after both factors are provided.
The problem seems to be that both SAML and TOTP have replay attack preventions in place - meaning that after the SAML response is accepted, and the TOTP prompt is submitted, the original SAML response is no longer valid.