这是因为AD FS MFA假定在主认证槽中使用Active Directory。如果您正在使用Thinktecture等声明提供程序，则会绕过MFA要求，因为AD不是声明提供程序。但是，你也可以在b管道上发出额外的索赔规则，说明索赔提供者是远程CP（thinktecture）的位置，他们也应该通过RSA提供商使用MFA，假设用户存在方...顺便说一句..我从未测试过这个： - ） 

That's because AD FS MFA assumes the use of Active Directory in the primary authentication slot. If you're using a claims provider such as Thinktecture then that will bypass the MFA requirement because AD is not the claims provider. However, you could also issue an additional claims rule on the RP pipeline that states where the claims provider is a remote CP(thinktecture), that they should also use MFA via the RSA provider, assuming the user exists on their side.. btw.. I've never tested this :-)