Index: lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java =================================================================== diff -u -r03858df7730f75865fc4eec12d27554585617d90 -rc991108304d55054175e168ea0396ee6d97adb38 --- lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java (.../SsoHandler.java) (revision 03858df7730f75865fc4eec12d27554585617d90) +++ lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java (.../SsoHandler.java) (revision c991108304d55054175e168ea0396ee6d97adb38) @@ -100,10 +100,9 @@ // recreate session here in case it was invalidated in login.jsp by sysadmin's LoginAs HttpSession session = request.getSession(); /* - * Fetch UserDTO before completing request so putting it later in session is done ASAP + * Fetch UserDTO before completing request, so putting it later in session is done ASAP * Response is sent in another thread and if UserDTO is not present in session when browser completes - * redirect, - * it results in error. Winning this race is the easiest option. + * redirect, it results in error. Winning this race is the easiest option. */ String login = request.getParameter("j_username"); @@ -131,10 +130,14 @@ SsoHandler.handleRedirectBack(context, redirectURL); } + //bypass 2FA if using Login-as + boolean isUsingLoginAsFeature = password.startsWith("#LAMS") + && StringUtils.equals(redirectURL, "/lams/index.jsp"); + // if user is not yet authorized and has 2FA shared secret set up - redirect him to // loginTwoFactorAuth.jsp to prompt user to enter his verification code (Time-based One-time Password) if (request.getRemoteUser() == null && user.isTwoFactorAuthenticationEnabled() - && user.getTwoFactorAuthenticationSecret() != null) { + && user.getTwoFactorAuthenticationSecret() != null && !isUsingLoginAsFeature) { String verificationCodeStr = request.getParameter("verificationCode"); int verificationCode = NumberUtils.toInt(verificationCodeStr); GoogleAuthenticator gAuth = new GoogleAuthenticator();