Hi Ricardo,
Not sure if this applies to you. if your 2nd factor authentication is a web form (like one time pin), you can do something like this.
Protect your web resource using your 2FA custom auth scheme with a higher protection level. This will redirect to your 2FA form URL.
Protect your 2FA form URL using IWA auth scheme. This will redirect to your IWA .ntc resource for authentication. once authenticated, you should be redirected to your 2FA form.
in the 2FA form, you can use SM_USER header to get the login ID. It may come with the domain portion like
SOME_DOMAIN\SOME_USERNAME
If you don't want the domain part, just programmatically split and get the part you want. and you can use that further in your 2FA authentication process.
so the flow is like this
attempt access protected resource URL -> auto redirect to 2FA form URL -> auto redirect to IWA .ntc -> redirect back to 2FA form -> successful 2FA auth redirects to originally attempted protected resource URL.
On a sidenote, since you are using IWA, best to enable a form fallback using authentication chaining.
https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/policy-server-configuration/authentication-schemes/authentication-chaining
Hope this helps someone.
regards,
Zen