After configuring 2FA for a Partnership, then the browser gets into a loop and it doesn't get to the application.
The Minimum Authentication Level is set to 15 in the Partnership.
Policy Server 12.8SP6 on RedHat 7;
Web Agent 12.52SP1CR11 on 2.4.56 on RedHat 7;
Web Agent Option Pack 12.52SP1CR11 on Tomcat 9.0.71 on RedHat 7;
The Partnership needs authorization level 15, but its Authentication URL only provides 10. This is the reason why the browser goes into a loop.
The browser goes to the Authentication Scheme with the SMSESSION cookie with Authentication Level of 10. And then it goes back to the Federation Partnership, that needs authentication level 15. /redirect.jsp is protected by an authentication scheme with an authentication level of 10.
The Partnership at https://server.example.com/affwebservices/public/saml2sso?SPID=https://idp.example.net/in/sp/Metadata needs 15.
So said, the solution is to configure a specific Authentication Scheme which will satisfy the 15 Authentication Level. The Custom Authentication Scheme has an option to allow the override of the Authentication Scheme, and then set the desired Authentication Scheme when needed (1).
Implement a custom authentication scheme for the given partner to be able to override the Authentication Level requested by the Partnership.