...
This use case is most relevant if the SP operator knows that the IdP in question supports this profile. To require that all users must authenticate using MFA, a SAML authentication request
should include:
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>
https://refeds.org/profile/mfa/
</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
...