diff --git a/pkg/handler/autologin/autologin.go b/pkg/handler/autologin/autologin.go
index 734d421..983e6bd 100644
--- a/pkg/handler/autologin/autologin.go
+++ b/pkg/handler/autologin/autologin.go
@@ -21,8 +21,8 @@ type AutoLogin struct {
 	cache          sync.Map
 }
 
-func (a *AutoLogin) NeedsLogin(r *http.Request, isAuthenticated bool) bool {
-	if isAuthenticated || !a.Enabled || r.Method != http.MethodGet {
+func (a *AutoLogin) NeedsLogin(r *http.Request, isAuthenticated, isAcrValid bool) bool {
+	if (isAuthenticated && isAcrValid) || !a.Enabled || r.Method != http.MethodGet {
 		return false
 	}
 
diff --git a/pkg/handler/reverseproxy.go b/pkg/handler/reverseproxy.go
index 8fa1aac..9d11479 100644
--- a/pkg/handler/reverseproxy.go
+++ b/pkg/handler/reverseproxy.go
@@ -84,13 +84,14 @@ func (rp *ReverseProxy) Handler(src ReverseProxySource, w http.ResponseWriter, r
 		logger.Errorf("default: unauthenticated: unexpected error: %+v", err)
 	}
 
+	isAcrValid := true
 	err = src.GetAcrHandler().Validate(sess)
 	if err != nil {
-		loginRedirect(src, w, r, err.Error())
-		return
+		isAcrValid = false
+		logger.Infof("default: acr: %+v; checking for autologin...", err)
 	}
 
-	if src.GetAutoLogin().NeedsLogin(r, isAuthenticated) {
+	if src.GetAutoLogin().NeedsLogin(r, isAuthenticated, isAcrValid) {
 		loginRedirect(src, w, r, "request matches autologin")
 		return
 	}