received LOA is not respected when making stepup disicion #1883
Description
Scenario:
An SP asks for a higher LOA using requered.
IDP1 is configured for transparent LOA and handles the MFA request itself before responding.
IDP2 uses Stepup for it's MFA needs.
SP sends a LOA defined for stepup in the RequestedAuthnContext element.
A user from IDP2 can now select his/her IDP using the WAYF and login.
Afterwards stepup is correctly triggerd to provide MFA before a response to the SP is send.
A user from IDP1 however chooses his/her IPD using the WAYF.
LOA is send to the IDP using the transparant LOA config (so far so good).
At IDP1 the users provides credentials and MFA token.
The response from IDP1 sends a reponse with the higher LOA but this higher LOA is ignored.
Instead the user is then send to Stepup for an aditional token which they don't have and as a result can't log in.
It seems that the LOA from the response is not used in the decision if stepup is required in:
https://github.com/OpenConext/OpenConext-engineblock/blob/main/library/EngineBlock/Corto/Module/Service/AssertionConsumer.php#L192
This seems against SAML2.0 specification.
Can the LOA from the IDP be added to the decision process to facilitate this usecase?