Unexpected behaviours with matchExpression and SPNEGO and RemoteUser

[Cantor, Scott]

> In general, what you're doing with the button is about one step short of
> deprecation. I'm not there just yet, but I am considering it. The MFA flow is
> how this should be handled now.

To be explicit: if you use that approach, you are entirely in control of how any event coming back from a login flow gets handled rather than leaving that up to the "core" IdP authentication behavior. Which is pretty much what you're asking for.
 
-- Scott