...
The SP should intelligently handle errors. In particular, the SP should be prepared to handle the case that not all users at a particular IdP may be eligible for Silver, so even if the IdP is tagged with http://id.incommon.org/assurance/silver in metadata, authentication for some users may result in an "AuthnFailed" response.
...
As usual, the SP should intelligently handle errors. In particular, the SP should be prepared to handle the case that not all users at a particular IdP may be eligible for Bronze or Silver, so even if the IdP is tagged with http://id.incommon.org/assurance/silver and/or http://id.incommon.org/assurance/bronze in metadata, authentication for some users may result in an "AuthnFailed" response.
...
The FM requires Bronze password credentials for delegated administrators. Also, both the FM and the CM require Bronze password credentials as the first factor of a two-factor authentication. The InCommon Operations Identity Provider is authoritative for the second "what you have" factor.
...