Requiring the user to complete MFA is a requirement/configuration of the IdP, and since it is managed by the IdP, it should be available within the object supplied by the provider. If you investigate the Identity Provider section within the configuration of the Gateway, you can do a Test Login.
Configure > Security > Identity Provider. Once there, select the “More” dropdown and select “Test Login”. Complete the steps for login and upon completion you’ll arrive on a page which includes not only the user’s authentication object, but a list of the attribute mappings and Security Levels which are attached to the user based on their authentication.
The returned object should have some sort of property which specifies whether the login attempt included MFA. This attribute could be used as part of the rules to determine a Security Level. if you need to force a user to re-authenticate for some reason, any authentication should result in a re-evaluation of a user’s Security Levels.