Requiring that all administrators authenticate with MFA is an OWASP requirement, therefore it would make sense if the library could support such a configuration natively.

For this to work, we'd need to access the local variables attributes and user (the User object we're authenticating) in the method Saml2Backend.authenticate. None of the overridable hooks allow access to both of these at once, so developers must override the entire authenticate method, which isn't very small.

I propose two solutions:

1. We add configuration options SAML_REQUIRE_MFA_FOR_ADMINS (True or False) and SAML_MFA_ASSERTION_ATTRIBUTE (e.g. "http://schemas.auth0.com/multifactor") and add logic that asserts that the MFA assertion attribute is present when authenticating a user with is_superuser.

2. A more general approach - provide another hook (suggest a name?) which passes both local variables as arguments. This might be more useful for more complicated use-cases, but it creates more boilerplate code for the common use-case.

I'd be happy to open a PR when we reach a conclusion.

My bad, the MFA assertion is actually in session_info["authn_info"] which is not local to authenticate. Overriding authenticate and using the returned value in conjunction with session_info allows me to mandate MFA for admins.