Index: lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java
===================================================================
diff -u -r26e7a51d2a74ef045d6e056752fd60bf510f2024 -reb1529450ce9483c3a5d6df58aed14e437bb8ee6
--- lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	(.../SsoHandler.java)	(revision 26e7a51d2a74ef045d6e056752fd60bf510f2024)
+++ lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	(.../SsoHandler.java)	(revision eb1529450ce9483c3a5d6df58aed14e437bb8ee6)
@@ -107,12 +107,11 @@
 		 */
 
 		String login = request.getParameter("j_username");
-		User user = null;
 		if (StringUtils.isBlank(login)) {
 		    SsoHandler.serveLoginPage(exchange, request, response, "/login.jsp?failed=true");
 		    return;
 		}
-		user = SsoHandler.getUserManagementService(session.getServletContext()).getUserByLogin(login);
+		User user = SsoHandler.getUserManagementService(session.getServletContext()).getUserByLogin(login);
 		if (user == null) {
 		    SsoHandler.serveLoginPage(exchange, request, response, "/login.jsp?failed=true");
 		    return;
@@ -127,13 +126,10 @@
 
 		// LoginRequestServlet (integrations) and LoginAsAction (sysadmin) set this parameter
 		String redirectURL = request.getParameter("redirectURL");
-		if (!StringUtils.isBlank(redirectURL)) {
-		    SsoHandler.handleRedirectBack(context, redirectURL);
-		}
 
 		//bypass 2FA if using Login-as
-		boolean isUsingLoginAsFeature = password.startsWith("#LAMS")
-			&& StringUtils.equals(redirectURL, "/lams/index.jsp");
+		boolean isPasswordToken = password.startsWith("#LAMS");
+		boolean isUsingLoginAsFeature = isPasswordToken && StringUtils.equals(redirectURL, "/lams/index.jsp");
 
 		// if user is not yet authorized and has 2FA shared secret set up - redirect him to
 		// loginTwoFactorAuth.jsp to prompt user to enter his verification code (Time-based One-time Password)
@@ -154,14 +150,24 @@
 			session.setAttribute("password", password);
 
 			//verificationCodeStr equals null in case request came from login.jsp
-			String redirectUrl = "/lams/loginTwoFactorAuth.jsp"
+			redirectURL = "/lams/loginTwoFactorAuth.jsp"
 				+ ((verificationCodeStr == null) ? "" : "?failed=true");
-			response.sendRedirect(redirectUrl);
+			response.sendRedirect(redirectURL);
 			return;
 		    }
+		}
 
+		// when user clicks
+		UserDTO loggedInUser = session == null ? null : (UserDTO) session.getAttribute(AttributeNames.USER);
+		if (isPasswordToken && loggedInUser != null && loggedInUser.getLogin().equals(login)) {
+		    response.sendRedirect(redirectURL);
+		    return;
 		}
 
+		if (!StringUtils.isBlank(redirectURL)) {
+		    SsoHandler.handleRedirectBack(context, redirectURL);
+		}
+
 		// store session so UniversalLoginModule can access it
 		SessionManager.startSession(request);