...
Authentication methods are controlled within the IdMS. SPs request PasswordContext (or do not request an Authentication Context). Users are presented prompted for username/password or MFA, depending on their certifications within the IdMS. This is a method for providing an requiring certain users to use MFA, or for providing "user opt-in" requirement for multifactor authentication, similar to that provided by Google and other cloud providers.
...