Duc,
I wholeheartedly agree with your hesitation/disdain for the Access Gateway, but...
We no longer have the choice of whether or not to use it, because CA\Broadcom has not been adding critical new features to the Web Agent Option Pack. We have an HA enterprise SSO portal that is spread across multiple data centers, and the system can basically never go down. We have avoided using the SPS/AG for more than a decade because of the reputation it has for stability issues and security problems. Now there is just no way to avoid it anymore. We need the OIDC capabilities, because deploying thousands of webagents is simply no longer realistic when apps want to spin up and spin down constantly using containers, and application integration cycles with webagents are just too long. Add to that things like the web-agent vulnerability that was identified last fall, and you quickly realize that having thousands of them in your enterprise is not optimal. So, we (with quite a bit of hesitation) deployed the access gateway in a centralized location to support OIDC and future self-service integration models. We do not use the proxy server features at all at this time, we strictly use the gateway for federation, OIDC, and other newer features like authentication APIs and JWT tokens. Note: One other issue with the access gateway is that because it uses Apache/Tomcat and Java, and it is designed to sit out in the DMZ, it always gets dinged on security scans/audits, which creates a nightmare because to upgrade it, you may have to upgrade the policy servers too. (Which we all know can take a long time). I have seen policy server upgrades take up to 6 months due to finding bugs like memory leaks, policy server crashes, directory search problems, etc. The more product features you leverage, the more likely it is that you will find a bug. I have been running the product at enterprise scale since 2002, and this is just an accepted reality at this point. These bugs have to be identified, analyzed, verified, documented, and fixed by CA, and that back-and-forth process can take months. (I will acknowledge their release quality has been better the last few years, but issues still do occur)
Disclaimer: We haven't fully designed the MFA using JWT yet, it is in our backlog, and we will get to it very soon. But this is what I am thinking.
First- We will have to have to find a way to keep track of the initial target through all of this, which can be a challenge. We have done it for other processes, so we are pretty confident we can do it here too. Authenticate the user first using UN/PW with a target of the MFA type of your choice, the MFA target should be protected so we can ensure the user has authenticated at the lower level, and to allow for headers to be sent to it, so we can determine things like what types of authenticators the user has registered. At that point, let the third party authenticator applications do their thing, and when complete, create and send a JWT and return an smsession at the higher security level. (We will be looking at both Authenticator applications like MS/Google authenticator as well as some WebAuthN authenticators which can support Security Keys, and built-in bio-metrics like fingerprint scanners, windows hello, etc.)
Again, I am not positive that this is possible, because I have not worked with the JWT auth scheme yet, but, it seems like it could be a way to do any type of authentication we want, and then end up with a higher level session token. We also have the API gateway, which really is a swiss-army knife when it comes to making CA SSO do things that it doesn't normally do.
If the JWT authentication scheme can in fact be used to do this type of step-up, it basically breathes new life into a product that is seriously lacking in support for modern authenticators. Fingers crossed.
One more thing, access gateway aside, CA/Broadcom has really put a ton of effort and investment back into this product over the last few years. The product was dormant for too long, but they are obviously working on some cool stuff now, like JWT support, OIDC support, management APIs, and Container support. GA Release build quality is also orders of magnitude better than it was in the 12.0/12.5 days.