Completely working solution in simplesamlphp/metadata/saml20-idp-hosted.php
Every user with the attribute “leerling” (= student in Dutch) set to “1” will not get the screen for a second authentication factor. All the other users will.
'authproc' => [
10 => [
'class' => 'core:PHP',
'code' => '
if ($state["Attributes"]["leerling"][0]==1) {
$state["use_pi"] = ["key" => "0"];
}
',
],
20 => [
'class' => 'privacyidea:serverconfig',
'privacyideaserver' => 'https://privacyidea.example.com',
'realm' => 'example.com',
'uidKey' => 'uid',
'sslverifyhost' => true,
'sslverifypeer' => true,
'enabledPath' => 'use_pi',
'enabledKey' => 'key',
],
25 => [
'class' => 'privacyidea:privacyidea',
],
],
];