Does one of you know a simple way to do that w/o having a second IdP configured in the S/4HANA system? I mean having different HTTPS authentication contexts for the same SP based on the consumed SAML-enabled SAP ICF service nodes? Let's say we need to set up policies to use username & password (credentials) or SPNEGO in combination with MFA, based on certain conditions.
Of course, configuring different authentication modules for the services via SICF would do the trick, but the corporate policy is to forward all requests to the Identity Provider. For this reason, SAML is the only allowed login module in the authentication stack of the given ICF-service nodes.
At the moment, I can't think of any other approach (workaround) apart from federating two IAS instances with SP1 and then working with IDP-initiated SSO. Consequently, a request can go to IDP1 or IDP2 via a special URL, and different Risk-Based Authentication rules apply.
I am very excited and look forward to every serious approach :)