eZUser::instance() redirects to the same page when an SSO user has been logged in. If the SSO users does not have access to this page, an endless redirection loop begins. This is because the session is not saved before the redirect, so after the redirect the user is anonymous again, and the SSO login code is called again. It is only triggered when RequireUserLogin is false (front page). The patch fixes it by storing the session before redirecting.

It might make more sense to store the session within the redirect call, to avoid such problems in the future. However, there may be complications I am not aware of, with that solution.

Steps to reproduce

0. Install and configure an SSO handler such as http://projects.ez.no/bpce_acces
1. Open a private URL, where the anonymous and sso user don't have access rights
2. First identified as anonymous
3. The SSO (line 1170) sees nobody's logged in and there is an SSO handler
4. line 1207, user found by SSO
5. The SSO user is instantiated
6. The user gets redirected to the requested URI
7. GOTO 2 (endless loop)