--- title: Overriding authentication context in an IdP connection description: You can map authentication context values between the local and remote values in an OpenID Connect or a SAML 2.0 identity provider (IdP) connection. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_overrid_auth_context_in_idp_connect canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_overrid_auth_context_in_idp_connect.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: about-this-task: About this task steps: Steps example: Example --- # Overriding authentication context in an IdP connection You can map authentication context values between the local and remote values in an OpenID Connect or a SAML 2.0 identity provider (IdP) connection. ## About this task This optional configuration overrides how authentication context values are communicated with partners in both the authentication or authorization requests and their responses. Any values that are not defined in this configuration are passed through as-is. As needed, you can use an asterisk, `*`, to match any values, a blank value for a scenario where the partner or the local request does not specify an authentication value, or both. ## Steps 1. Go to **Authentication > Integration > IdP Connections**. 2. Click the name of the connection to open it in the **IdP Connection** window. 3. On the **Activation & Summary** tab, scroll down to the **Protocol Settings** section, then click **Overrides**. 4. On the **Overrides** tab, specify the **Local** and **Remote** entry, then click **Add**. 5. Repeat the previous step to define additional mappings. Click **Edit**, **Update**, or **Cancel** to make or undo a change to an existing entry. Click **Delete** or **Undelete** to remove an existing entry or cancel the removal request. 6. Click **Save** to complete the configuration. Alternatively, click **Next** to carry on with the rest of the connection settings. ## Example Suppose you are the service provider (SP) and your target application requires either the `urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos` or `urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified` authentication context. While the IdP is capable of authenticating its users using a Kerberos-based authentication system, a proprietary identity management system, and a few internal web portals, the authentication context values are different than what your application supports. The authentication context values from the IdP are as follows. | Authentication method | AuthnContextvalues | | -------------------------------------- | ------------------------------------------------- | | Kerberos-based authentication system | `KerberosAuth` | | Internal web portals | `password`, `portal`, or `web` | | Proprietary identity management system | No authentication context information is provided | To override the `AuthnContext` values from the IdP, you can configure the IdP connection with the following authentication context mappings. | Local | Remote | | ---------------------------------------------------- | -------------- | | `urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos` | `KerberosAuth` | | `urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified` | `*` | | `urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified` | | The first entry maps `KerberosAuth` to `urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos`. The second entry maps any authentication context values including `password` and `portal` to `urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified`. The last entry overrides the authentication value to `urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified` in the event that the assertion does not contain any authentication context information.