...
Example 2: An SP prefers MFA but accepts SFA
An SP presents a list of authentication contexts in the order of preference (Comparison attribute omitted, applying the default value “exact”):
<samlp:RequestedAuthnContext>
<saml:AuthnContextClassRef>https://refeds.org/profile/mfa</saml:AuthnContextClassRef>
<saml:AuthnContextClassRef>https://refeds.org/profile/sfa</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
An IdP responds SFA:
<saml:AuthnContext>
<saml:AuthnContextClassRef>https://refeds.org/profile/sfa</saml:AuthnContextClassRef>
</saml:AuthnContext>
Note: according to the SAML 2.0 specification, an Identity Provider can present only one authentication context in the responseThis is NOT supported by the SAML standard. See the FAQ for alternatives.
OpenID Connectr acr claims
...