When switching TAS authentication from SAML to LDAP, you may still receive a one-time passcode URL when running cf login -a https://api.<SYS-DOMAIN> --sso, even though the authentication configuration has been changed to use LDAP.

Changing the configuration from SAML to LDAP doesn't remove all the information and the "identity_provider" table in uaa db still references SAML config which is still used by cf cli. This is stated in in the auth configuration doc: "You must manually deactivate a SAML IDP that was created by TAS for VMs when you no longer require it." 

This can be done with uaac with following steps.

• run "uaac curl -k /identity-providers > ID-TEXT.txt" as indicated in the docs to list all the identity providers.
• Locate the one containing "type": "saml", and copy its id and use it to delete it in next step.
• run "uaa curl /identity-providers/<saml-identity-id> -X DELETE"

This will delete the SAML configuration and preventing "cf login -a https://api.<SYS-DOMAIN> --sso" to show one-time-passcode url.