Child pages
  • How to request authentication contexts

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Example 2: An SP prefers MFA but accepts SFA

An SP presents a list of authentication contexts in the order of preference (Comparison attribute omitted, applying the default value “exact”):

<samlp:RequestedAuthnContext>
  <saml:AuthnContextClassRef>https://refeds.org/profile/mfa</saml:AuthnContextClassRef>
<saml:AuthnContextClassRef>https://refeds.org/profile/sfa</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>

An IdP responds SFA:

<saml:AuthnContext>
  <saml:AuthnContextClassRef>https://refeds.org/profile/sfa</saml:AuthnContextClassRef>
</saml:AuthnContext>

Note: according to the SAML 2.0 specification, an Identity Provider can present only one authentication context in the responseThis is NOT supported by the SAML standard. See the FAQ for alternatives.

OpenID Connectr acr claims

...