...
Asking the LoginConfig about sufficiency of Authentication, gateway mode, and warn mode, provides an important extension point. Advanced implementations of the RequestToLoginConfig "factory" of LoginConfigs and of LoginConfigs themselves might implement such rules as "Never allow Single Sign On from the IP addresses of known kiosks"
The players
Revisiting the particular interfaces used here:. In general the LoginConfig could consider where the request seems to be coming from (looks like a kiosk), user preferences based on persistent browser cookie (SSO opt-in cookie was present or opt-out-of-SSO cookie was not present), user preferences based on authenticated identity (we know awp9 has opted out of privacy), service preferences (we know the service for which we're trying to issue a ST will accept nothing less than a client cert along with username password along with NTLM authentication).