Out of the box it is not supported, but you have two options: - Coding a new custom interception script combining the logic of current otp and u2f scripts, or preferably, - Use [Gluu Casa](https://casa.gluu.org/). See: https://gluu.org/docs/casa/user-guide/. Casa is under commercial license

Installed Casa and am not sure if i am misunderstanding... now when i try to use saml, rather than being prompted for 2-factor, it attempts to do a logon without verifying a 2-factor authentication method. I have set casa as default for acr authentication, and enabled OTP, and U2F. not prompted for either. what i wanted was for end users to be able to select either OTP, or U2F and self register, does Casa not permit that? before Casa, after entering credentials they would get the default 2-factor OTP (only one available at a time) and was hoping to have multiple options presented to the end users.

Enrollment takes place once logged into Casa. There users can determine if they want to use 2FA for logging in or not. With Casa you cannot force your whole userbase to use 2FA (it's optional - like Google, Github, etc. does...). The docs are comprehensive, check those to learn if the product fits your particular workflows/needs.