Refined it a bit further for the Risk-Based policy.
- if user is from internal (lan range) then authenticate with Username/Password authentication
- if user comes from External (not LAN-range) authenticate with Username/Password + 2FA
- if user is not part of group ‘Checkmk’ deny access.
So from just evaluating origin of an authentication request i have incorporated one’s organisational role within the federation.
Remember, this business-logic is handled by my IDP, not CheckMK !