Authentication form is keep occuring even after the user is successfully authenticated

Hi all;
I am new to PrivacyIdea. Our environment has the following characteristics:

  • Privacy idea version: 3.7 (installed with pip)
  • privacy idea simple saml php plugin: 2.1 (installed with composer)
  • privacy idea is configured as an authsource for simplesamlphp:
 'privacyidea' => array(
      'privacyideaServerURL' => 'https://privacyidea.internal',
      'sslverifyhost' => True,
      'sslverifypeer' => True,
      'realm' => '',
      'SSO' => 'true',
      'otpFieldHint' => 'OTP',
      'passFieldHint' => 'PIN',
      'attributemap' => array(
          'username' => 'uid',
          'email' => 'mail',
          'surname' => null,
          'givenname' => null,
          'phone' => null,
          'mobile' => null,  
      'doTriggerChallenge' => 'false',
      'doSendPassword' => 'true',
      'preferredTokenType' => '',
      'concatenationmap' => array(
          'givenname,surname' => 'fullName',
      'detailmap' => array(
          'message' => 'message',
          'type' => 'otpType',
          'serial' => 'otpSerial',
          'otplen' => 'otpLength'

access to web service S is allowed when the saml authentication is done successfully for user X.

Problem description:
I enrolled an OTP token to privacy idea successfully for user X. The problem occurs when I try to authenticate through the simplesaml web UI. In fact, I input the user identifier and the PIN+OTP in the PIN field. In the logs of simplesamlphp I can clearly read that the User authenticated successfully!.
Here is an excerpt from the logs:

privacyIDEA-PHP-Client: /validate/check returned {
    "detail": {
        "message": "matching 1 tokens",
        "otplen": 6,
        "serial": "SERIAL-REMOVED",
        "threadid": 139806027273984,
        "type": "hotp"
    "id": 2,
    "jsonrpc": "2.0",
    "result": {
        "authentication": "ACCEPT",
        "status": true,
        "value": true
    "time": 1649920666.5231423,
    "version": "privacyIDEA 3.7",
    "versionnumber": "3.7",

I expect that there will be a redirect to web service S. What happens actually is a second from coming from simplesamlphp occurs again asking for the OTP.


Even if we input the PIN+OTP again into that field, we again see in the logs User authenticated successfully! but again the form occurs again asking for the OTP.

Any help is appreciated !


I suppose that your problem occurs because if you are using simplesaml as an authsource, it needs a little more info about the user. You can send it by adding a new policy in privacyIDEA.

Please try to add a policy from scope: “authorization”, and in “Action” check:
setting actions → add_resolver_in_response
setting actions → add_user_in_response
and eventually:
miscellaneous → application_tokentype

I hope it will help!

1 Like