[
https://issues.apache.org/jira/browse/GUACAMOLE-1780?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mike Jumper reopened GUACAMOLE-1780:
------------------------------------
> TOTP and SAML auth cannot be used together
> ------------------------------------------
>
> Key: GUACAMOLE-1780
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1780
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole, guacamole-auth-saml, guacamole-auth-totp
> Reporter: James Muehlner
> Priority: Major
> Fix For: 1.6.0
>
>
> An authentication attempt using both the SAML and TOTP auth providers
> together cannot succeed. Depending on the order that the extensions are
> loaded, the behavior may be an infinite loop between SAML provider redirects
> and TOTP codes, or the login attempt will just fail after both factors are
> provided.
> The problem seems to be that both SAML and TOTP have replay attack
> preventions in place - meaning that after the SAML response is accepted, and
> the TOTP prompt is submitted, the original SAML response is no longer valid.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
