How can I ask Cognito to force re-authentication with a SAML IDP?

I have Cognito setup with SAML authentication to both Google and Okta. It works great.

I have a use case where when a user wants to approve a record, they need to provide their username and password (a second time, just for the approval). Unfortunately, this is the law set out by/for the FDA.

SAML has a mechanism to send a request to force authentication. Does anybody know how to get Cognito to send that request to the IDP?