...
REFEDS (The Research and Education FEDerations group) defines a Multi-Factor Authentication profile which provides a set of recommendations, best practices and their explanations for facilitating unambiguous communication between the SP (Service provider) and IdP (Identity provider) when MFA is required by the SP.
ProxyIdP acts as an SP in this exchange and REFEDS MFA profile can be used to trigger MFA and check whether it was performed successfully based on the claims returned by the IdP.
Service provider is an application providing access to some services or resourcs which need to be protected using MFA. Indentity provider, on the other hand, is a component able to perform the MFA and return a claim containing the result of the authentication.
ProxyIdP acts as an IdP in this exchange. The SP triggers MFA using REFEDS MFA profile and checks whether it was performed successfully based on the claims returned by the IdP in the SAML 2 message.
The profile specifies details about what is considered to be a sufficient MFA on the side of the IdP, how shoud the SP initiate the request for MFA with IdP, what should be the content and order of the communication messages and what are the possible paths in this authentication process. Part of the profile is the definition of a SAML authentication context for communication between the SP and IdP.
...