---
title: Configuring the Requested AuthN Context Authentication Selector
description: The Requested AuthN Context Authentication Selector enables PingFederate to choose configured authentication sources or other selectors.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:pf_config_request_authn_context_auth_selector
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_config_request_authn_context_auth_selector.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: July 2, 2024
section_ids:
  about-this-task: About this task
  steps: Steps
  result: Result:
  result-2: Result:
---

# Configuring the Requested AuthN Context Authentication Selector

The Requested AuthN Context Authentication Selector enables PingFederate to choose configured authentication sources or other selectors.

## About this task

This selector chooses authentication sources or selectors based on the authentication contexts requested by a service provider (SP) *(tooltip: \<div class="paragraph">
\<p>In SAML, an entity that receives and accepts an authentication assertion issued by an IdP, typically for the purpose of allowing access to a protected resource.\</p>
\</div>)*) for browser single sign-on (SSO) *(tooltip: \<div class="paragraph">
\<p>The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\</p>
\</div>)* requests, or a relying party (RP) *(tooltip: \<div class="paragraph">
\<p>An OAuth 2.0 client that requires end-user's authenticity and claims (attributes) from an OpenID provider.\</p>
\</div>)* for OAuth with OpenID Connect (OIDC) *(tooltip: \<div class="paragraph">
\<p>An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\</p>
\</div>)* use cases in authentication policies.

For browser SSO, this authentication selector works in conjunction with SP connections with Security Assertion Markup Language (SAML) *(tooltip: \<div class="paragraph">
\<p>A standard, XML-based, message-exchange framework enabling the secure transmittal of authentication tokens and other user attributes across domains.\</p>
\</div>)* 2.0 only, using the SP-initiated SSO profile. Other browser SSO protocols do not support authentication context. For OAuth, clients supporting the OIDC protocol must include the optional `acr_values` parameter in their authorization requests to indicate their preferred authentication context, or contexts.

## Steps

1. Go to **Authentication > Policies > Selectors** to open the **Selectors** window.

2. On the **Selectors** window, click **Create New Instance** to start the **Create Authentication Selector Instance** workflow.

3. On the **Type** tab, configure the basics of this authentication selector instance.

4. On the **Authentication Selector** tab, configure the applicable selector instance settings:

   1. Select the **Add or Update AuthN Context Attribute** checkbox if you want to update the authentication context attribute value with the value specified in the **Selector Result Values** tab.

      ### Result:

      When selected, which is the default, the checkbox on this window provides a means to:

      * Add the value of the authentication context determined by the selector into the SAML assertion.

      * When applicable, replace any value returned from the associated adapter instance with the selector result value.

   2. (Optional) Select the **Override AuthN Context for Flow** checkbox to allow the authentication selector result value to override the authentication context value for the entire policy flow.

      |   |                                                                                                          |
      | - | -------------------------------------------------------------------------------------------------------- |
      |   | This checkbox is only available when the **Add or Update AuthN Context Attribute** checkbox is selected. |

      ### Result:

      When selected, which is the default for fresh installations, the selector result will determine the authentication context value for the entire flow and override any subsequently invoked authentication sources and their authentication context values. This authentication selector result value takes precedence and determines the authorization context in the outgoing assertion or ID token.

   3. (Optional) Enable policy paths to handle additional scenarios.

      For more information, refer to the following table.

   | Field                                | Description                                                                                                                                                                                                                                                                                                         |
   | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   | Enable 'No Match' Result Value       | Selector evaluation fails and the next applicable authentication policy is executed if the requested authentication context does not match any of the configured selector result values.Select this checkbox if you want to enable a policy path to handle this scenario. This checkbox is not selected by default. |
   | Enable 'Not in Request' Result Value | Selector evaluation fails and the next applicable authentication policy is executed if no requested authentication context is found.Select this checkbox if you want to enable a policy path to handle this scenario. This checkbox is not selected by default.                                                     |

5. In the **Selector Result Values** window, specify the authentication contexts to use as the criteria:

   1. Enter the exact, case-sensitive parameter value under **Result Values**, and then click **Add**.

      |   |                                                                                                                                                                                                                                                           |
      | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
      |   | The value can include URIs defined in [Authentication Context for the OASIS Security Assertion Markup Language (SAML) 2.0](https://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf) or any other value agreed upon with the partner. |

   2. (Optional) Add more values to differentiate criteria for authentication selection.

      Display order does not matter.

      Each selector result value forms a policy path when you place this selector instance as a checkpoint in an authentication policy (regardless of whether you have enabled the **No Match** or **Not in Request** policy path in [step 4b](#step-4-b).

      Use the **Edit**, **Update**, and **Cancel** workflow to make or undo a change to an existing entry. Click **Delete** to remove an entry.

6. Complete the configuration.

   1. On the **Summary** tab, click **Done**.

   2. On the **Selectors** window, click **Save**.