...
If the Relying Party requires that a the multi-factor login should must not use Single-Sign On the member organisation's Identity Provider must MUST be able to require that the Subject do a new multi-factor login even though the Subject may already have one a multi-factor session active with the Identity Provider.
...