When using simplesamlphp for SSO on multiple subdomains how do I bypass OTP on the second domain?

I’m testing using Drupal 8, simplesamlphp and PrivacyIDEA for SSO and MFA and have run into a snag in that each time you visit a different sub-domain (sp) you get automatically logged in via simplesamlphp but then you have to enter an OTP for PrivacyIDEA each time.

I couldn’t find a way to disable this behavior and created my own way: https://github.com/privacyidea/simplesamlphp-module-privacyidea/pull/80 and now I realize that the user can login with simplesamlphp and then just not enter the OTP for PrivacyIdea. If they return to the site that they were trying to originally access they will be successfully logged in.

Is there an easier way of doing this?

Visit: a.test.com

  • Login with simplesamlphp
  • Complete OTP with PrivacyIDEA

Visit: b.test.com

  • SSO logs into the site automatically
  • Skips OTP from PrivacyIDEA

Ken Colwell

To my understanding this is not possible based on the concept of SAML by the IdP.
This has to be done by the application.
The assertion should contain a note about being authenticated either with one oder with two factors and then a.test.com would have to force a reauthentication.

Thanks! That is very helpful.

I have the same question, but I’m sorry, I don’t understand the answer.

I use quite often mod_mellon (apache module for saml) to protect applications. Do you mean that it would be a mod_mellon setting to not require the second factor?

Yes. The SAML SP needs to know if it needs 1FA or 2FA.

The IdP should store in the SAML assertion, if the authentication happened with 1FA or 2FA.

Default behaviour is, if a user gets a valid SAML assertion from the IdP, the application does not care anymore, how the user was authenticated. This how somehow needs to be transported to the SP and the SP has to decide, if the how is sufficient or not.

Imagine a user, who already authenticated with 1FA. Then the user goes to an SP, that would require 2FA. How would the SP otherwise know?

I might be totally wrong, but this was usually my understand how SAML works.