Any recommendations/validation of a scheme to select a SAML Proxy or Password/MFA authentication flow based on relying party / SP entityID?

[Cantor, Scott]

The intended way to do this is to associate a custom Principal to the various flows (in this case the MFA and SAML flows) as a supportedPrincipal and then leverage that in the relying party config via the defaultAuthenticationMethods property as a signal that that's the flow to use.

If you want to do it without involving or affecting the AuthnContext values in the responses or interfering with the possibility of SPs making requests, then things become more complex, and I would probably do what Keith suggested, just orchestrate it with the MFA flow.

You still have to take into account how RequestedAuthnContext and response AuthnContext values will function in your overall environment and there's no recipe for that, it depends what the flows support conceptually and what SPs might request.

There is no reason to be using a custom flow for this, or much of anything else these days.

-- Scott