User clicks federated login link (the link will be provided in the invitation email).
User selects IdP from discovery service
IdP receives SAML authenticationRequest with 'Password', 'PasswordProtectedTransport', 'http://id.incommon.org/assurance/base-level', and 'https://refeds.org/profile/mfa' set as the allowed/requested SAML authenticationContextClassRef values.
IdP optionally asks user if they want to use MFA authentication
SP/app receives SAML assertion with user's ePPN.
SP/app looks up user's invitation and determines if the user is an RAO.
If the user is an RAO, then the SAML authenticationContextClassRef in the received assertion is checked.
If the RAO user did not authenticate with MFA, they are sent back to the IdP with only 'https://refeds.org/profile/mfa' set as the allowed/requested SAML authenticationContextClass (since the user was identified as an RAO). Otherwise, the user is a DRAO and they are logged in.