The Shibboleth Project has released a security advisory that involves possibly bypass of second factor authentication requirements in certain less common scenarios described in the advisory. A patch release is now available that corrects the issue.