...
So it seems best to use the UsernamePassword login handler as well, for any uses that don't require a token. This limits the use of the MultiFactor login handler to those cases where provding an OTP token is in fact strictly required and requested by a Relying Party. Note that peter had to add a defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
on the <rp:DefaultRelyingParty>
element in $IDP_HOME/conf/relying-party.xml
as the MultiFactor login handler took precedence. If you have custom <rp:DefaultRelyingParty>RelyingParty>
elements defined that may also be necessary for those.
...