[EXTERNAL] Re: AuthnRequest contains an exact RequestedAuthnContext, can we override?

[Cantor, Scott]

If you're using Duo or what have you, then basically what you have to do is adjust your MFA rules to simply not short-circuit use of Duo based on what the SP is asking for (which if you care enough to do you could certainly make conditional on that SP).

I don't personally do that because I don't believe in tolerating this sort of thing and all that does is make it everybody's problem later, but you can do it.

You can also, in some cases, just move to IdP-initiated SSO to bypass their requests.

-- Scott