If SAML required, don't accept login form post.

app/Http/Controllers/Auth/LoginController.php

@@ -75,6 +75,7 @@ public function showLoginForm(Request $request)
  }
 
  //If the environment is set to ALWAYS require SAML, go straight to the SAML route.
+ //We don't need to check other settings, as this should override those.
  if((env("REQUIRE_SAML", false)))
  {
  return redirect()->route('saml.login');
@@ -207,6 +208,12 @@ private function loginViaRemoteUser(Request $request)
  */
  public function login(Request $request)
  {
+ //If the environment is set to ALWAYS require SAML, return access denied
+ if((env("REQUIRE_SAML", false)))
+ {
+ return view('errors.403');
+ }
+
  if (Setting::getSettings()->login_common_disabled == '1') {
  return view('errors.403');
  }