Different AuthN methods (IAS) for two SAML-enabled ICF services on one S/4HANA system

Question:

Does one of you know a simple way to do that w/o having a second IdP configured in the S/4HANA system? I mean having different HTTPS authentication contexts for the same SP based on the consumed SAML-enabled SAP ICF service nodes? Let's say we need to set up policies to use username & password (credentials) or SPNEGO in combination with MFA, based on certain conditions.

Environment:

• S/4HANA (on-premise) & SAP IAS
• Two ICF services 1) NWBC (SSO or Credentials) and 2) Fiori Launchpad (SSO+MFA)

Target:

• User 1 is consuming the NWBC Web Dynpro on SP1 and should be authenticated from IAS (IDP1) using SPNEGO.
• Same User 1 consuming the Fiori Launchpad on the same SP1 should be authenticated from the IDP1 using SPNEGO (or other SSO methods) but enforce a second factor checked in addition to his Kerberos Token.

Of course, configuring different authentication modules for the services via SICF would do the trick, but the corporate policy is to forward all requests to the Identity Provider. For this reason, SAML is the only allowed login module in the authentication stack of the given ICF-service nodes.

At the moment, I can't think of any other approach (workaround) apart from federating two IAS instances with SP1 and then working with IDP-initiated SSO. Consequently, a request can go to IDP1 or IDP2 via a special URL, and different Risk-Based Authentication rules apply.

I am very excited and look forward to every serious approach :)

Cheers Carsten