...
REFEDS (The Research and Education FEDerations group) defines a Multi-Factor Authentication profile which provides a set of recommendations, best practices and their explanations for facilitating unambiguous communication between the SP (Service provider) and IdP (Identity provider) when MFA is required by the SP.
In the context of this document, we are mainly concerned with the SP. ProxyIdP acts as an SP in this exchange and REFEDS MFA profile can be used to trigger MFA and check whether it was performed successfully based on the claims returned by the IdP.
Service provider is an application providing access to some services or resourcs which need to be protected using MFA. Indentity provider, on the other hand, is a component able to perform the MFA and return a claim containing the result of the authentication.
The profile specifies details about what is considered to be a sufficient MFA on the side of the IdP, how shoud the SP initiate the request for MFA with IdP, what should be the content and order of the communication messages and what are the possible paths in this authentication process. Part of the profile is the definition of a SAML authentiaciton authentication context for communication between the SP and IdP.
Further information about the individul steps of the process including the massages messages used to request the IdP to perform MFA, possible return values based on the authentication result as well as configuration regarding MFA enforcement can be found in the SP portion of FAQ.
General information about the MFA profile can be found here on the REFEDS website and more detailed description of the concept can be found in the MFA profile FAQ section here.