We have a deployment where we to use SAML ForceAuthn to force logins at our IdP, and AuthnContextClassRef to override the default authentication mechanism and force multi-factor authentication; we also need the sessions on Jenkins to be shorter than those on our IdP.

We've implemented those changes to the plugin as optional advanced configuration options, and will submit a GitHub pull request.