Add RequestedAuthnContext for MFA in SAML SP

[elasticmachine]

Original comment by @danielmitterdorfer:

Note: after discussion with @jkakavas, reraising original ticket #29367 (which originated from a discussion in https://discuss.elastic.co/t/setup-mfa-in-6-2-saml/126602). Original issue content below.

Support MFA (Multifactor Authentication) using the RequestedAuthnContext attribute on the SP side (Kibana). This is for Shibboleth, which we are using for federated IdM in the Omnisoc initiative (LINK REDACTED). The federation is InCommon, a higher ed federation.

I have used Shibboleth on the SP side in ES 6.1 to do MFA, but it's really just an overlay on ES. There's shibd running, which is the SP, and I can add RequestedAuthnContext there within /etc/shibboleth/shibboleth2.xml as authnContextClassRef="LINK REDACTED" in the <SSO ...> entity.
Should be able to do something similar in the ES SAML implementation.

I do have SAML working in a dev ELK with ES 6.2.2.

[jkakavas]

We discussed this in the ES Security weekly meeting. I originally thought that we would have to keep some kind of state in Elasticsearch so that we can validate that what we requested in RequestedAuthnContext was granted by the IDP but we actually do not need to.

The setting for RequestedAuthnContext will be realm specific and we currently only support one to one relationships for realms and IDPs so we would know what the RequestedAuthnContext had been for all our AuthenticationRequests.