...
When a Subject performs a multi-factor authentication based on the Person-Proofed Multi-Factor with high identity assurance the Identity Provider MUST add the value http://www.swamid.se/policy/authentication/swamid-al2-mfa-hi to the attribute eduPersonAssurance of the Subject in order for the Relaying Party to be able to distinguish between the two identity proofing levels of multi-factor authentication.
If the Relying Party requires that a multi-factor login should not use Single-Sign On the member organisation's Identity Provider must be able to require that the Subject do a new multi-factor login even though the Subject may have one multi-factor session active with the Identity Provider.
Guidance
The eduPersonAssurance value for Person-Proofed Multi-Factor with high identity assurance should only be released if a multi-factor authentication occurred at that authentication assurance level.
...