Add a $saml2{twoFAOnlyWithBypass} option.

This option is for the case that the identity provider offers multi
factor authentication, and yet the $saml2{bypass_query} is also
allowed.  In this case you would not want webwork2's two factor
authentication to be used when signing in via the identity provider.
However, two factor authentication should be used if the bypass query is
used.  Setting $saml2{twoFAOnlyWithBypass} to 1 makes it so that
webwork2's two factor authentication is skipped for users signing in via
the identity provider, but still required for users signing in with a
username/password. If this is set to 0, then webwork2's two factor
authentication will always be required.

conf/authen_saml2.conf.dist

@@ -24,6 +24,12 @@ $authen{admin_module} = [
 	'WeBWorK::Authen::Saml2'
 ];
 
+# This URL query parameter can be added to the end of a course url to skip the
+# saml2 authentication module and go to the next one, for example,
+# http://your.school.edu/webwork2/courseID?bypassSaml2=1. Comment out the next
+# line to disable this feature.
+$saml2{bypass_query} = 'bypassSaml2';
+
 # Note that Saml2 authentication can be used in conjunction with webwork's two
 # factor authentication. If the identity provider does not provide two factor
 # authentication, then it is recommended that you DO use webwork's two factor
@@ -33,11 +39,15 @@ $authen{admin_module} = [
 # authentication. The two factor authentication settings are set in
 # localOverrides.conf.
 
-# This URL query parameter can be added to the end of a course url to skip the
-# saml2 authentication module and go to the next one, for example,
-# http://your.school.edu/webwork2/courseID?bypassSaml2=1. Comment out the next
-# line to disable this feature.
-$saml2{bypass_query} = 'bypassSaml2';
+# As noted above, if the identity provider offers two factor authentication,
+# then you would not want webwork2's two factor authentication to be used at the
+# same time.  However, if the bypass parameter is allowed, you should still
+# enable two factor authentication in that case.  If this is the case, then set
+# $saml2{twoFAOnlyWithBypass} to 1. This will skip webwork2's two factor
+# authentication for users signing in via the identity provider, but still
+# require it for users signing in with a username/password. If this is set to 0,
+# then webwork2's two factor authentication will always be required.
+$saml2{twoFAOnlyWithBypass} = 0;
 
 # If $external_auth is 1, and the authentication sequence reaches
 # Basic_TheLastOption, then the webwork login screen will show a message
@@ -104,9 +114,9 @@ $saml2{sp}{attributes} = [
 # The files saml.crt and saml.pem that are generated contain the public
 # "certificate" and the "private_key", respectively.
 # Note that if the files are placed within the root webwork2 app directory, then
-# the paths may be given relative to the the root webwork2 app directory.
-# Otherwise the absolute path must be given. Make sure that the webwork2 app has
-# read permissions for those files.
+# the paths may be given relative to the root webwork2 app directory.  Otherwise
+# the absolute path must be given. Make sure that the webwork2 app has read
+# permissions for those files.
 $saml2{sp}{certificate_file} = 'docker-config/idp/certs/saml.crt';
 $saml2{sp}{private_key_file} = 'docker-config/idp/certs/saml.pem';
 

lib/WeBWorK/Authen/Saml2.pm

@@ -71,6 +71,8 @@ sub do_verify ($self) {
 	my $c  = $self->{c};
 	my $ce = $c->ce;
 
+	$self->{external_auth} = 1 if $ce->two_factor_authentication_enabled && $ce->{saml2}{twoFAOnlyWithBypass};
+
 	if ($c->current_route eq 'saml2_acs') {
 		debug('Verifying Saml2 assertion');