PingOne

RequestedAuthnContext

RequestedAuthnContext is an optional element in a SAML 2.0 AuthnRequest. AuthnContextClassRef and AuthnContextDeclRef are valid sub-elements in RequestedAuthnContext.

Administrators can control whether PingOne should determine the authentication method based on the RequestedAuthnContext element. This per-application option, Policy Selection based on RequestedAuthnContext, is for SAML 2.0 applications only and is disabled by default.

When the option is disabled, PingOne ignores the RequestedAuthnContext element.

When the option is enabled, PingOne evaluates the RequestedAuthnContext element as follows:

RequestedAuthnContext with AuthnContextClassRef and AuthnContextDeclRef elements

If both AuthnContextClassRef and AuthnContextDeclRef are found inside RequestedAuthnContext, PingOne returns an error to the application, according to the SAML 2.0 specification.

RequestedAuthnContext is a match

If the application is configured with one or more policies, and if the first AuthnContextClassRef element value (or the first AuthnContextDeclRef value) is an exact match to one of the configured policies, PingOne invokes that policy.

  • For a PingOne policy, the element value must match the policy name exactly.

  • For a DaVinci policy, the element value must match the policy ID exactly.

  • PingOne ignores the second and any subsequent element values.
RequestedAuthnContext is not a match

If the application is configured with one or more policies, and if the first AuthnContextClassRef element value (or the first AuthnContextDeclRef value) is not an exact match to one of the configured policies, PingOne returns an error to the application.

RequestedAuthnContext without a policy

If the application is not configured with any policy, and if either AuthnContextClassRef or AuthnContextDeclRef is provided, because the first AuthnContextClassRef element value (or the first AuthnContextDeclRef value) is never an exact match to no policy, PingOne returns an error to the application.