You could do the same with ADFS. You could add MFA to the SAML workflow in ADFS then, as has been stated, your authentication would be AnyConnect > ASA > ADFS (with MFA prompting). I think that would work.
I'm working on similar stuff and I use ISE...
