SAML iDP and per application choise of 1-factor or 2-factor auth.

I've setup an SAML iDP with F5 and it's working without issues, Running on 11.6 software.

In the setup there's an access profile that forces all clients to do two-factor authentication when authenticating to the SAML iDP. There's now a a requirement that some of the SAML SP's would like to lower the authentication to one-factor (username/password) but some of the apps still require two-factor. I've tried to research and it seems that in version 12.0 there's a new attribute 'AuthContextClassRef' but I'm having a hard time finding any explanations, manuals or guides how (and if) I could use this feature to solve my problem.

If the AuthContextClassRef could be used to force, or even step-up, the user to do two-factor authentication when accessing certain applications are there any references how to create the VPE policy (and other SAML config) for following scenarios:

1. SP initiated connection, SP requests 2-factor auth
2. SP initiated connection, SP requests 1-factor auth
3. SP initiated connection, user has already authenticated with 1-factor and has a session, but the SP requires 2-factor auth.
4. iDP initiated connection, either 1 or 2 factor

Any help is appreciated. Currently if the AuthContextClassRef option and version 12 doesn't solve the problem, I'm thinking of creating a separate IDP and moving the apps requesting 1-factor auth to the new IDP and leaving other apps on the IDP that has 2-factor in the VPE policy flow.