3.2.x and Earlier Login Switching

[Klingenstein, Nate]

My firm constraint is IdP version >3.0 and <3.3 running in production in many places.  Obviously, there's a lot more that can be done with 3.3.

I need to perform MFA for a specific application with a specific group of users.  The IdP must be able to indicate that MFA was used.

I'm willing to make the limiting assumptions:

1)  The SP can send a special AuthnContext
2)  There is no step-up or step-down authentication
3)  Every request for that elevated AuthnContext is effectively ForceAuthn true

Changing code or recompiling classes is not impossible, but it's scary for IdP administrators and our handlers.  I gain brownie points if I can do a simple switch on a variable as well, e.g. if wePayThem="sorta".

What is the most elegant way to do that?  e.g. wrap part of the Webflow with a decision-state that pulls something out of the login context, or... ?