My company provides a single SaaS product for corporate clients.
For one client we are implementing SSO with them as authentication provider (via Azure AD/SAML for now, but the library we are using is extensible).
The same client has asked us to implement MFA.
My gut reaction is that this would result in a weird hybrid system where both client and service provider would be responsible for managing authentication systems with (canonical) user data. I would much prefer to have a single owner for authentication stages, and have SSO defer to the client who can choose to add/enforce MFA as they see fit.
However, I think what they are asking is technically feasible, by implementing a two-step MFA login process using secure cookie for the SaaS system (not considering hand-rolling, just an assumption about mechanism from the library).
Is there any industry standard advice for this kind of setup? E.g. is it inadvisable due to split responsibilities, or even considered insecure? Or if is this a more normal setup (and my concerns overblown), are there important details that need to be taken account of?