RequestedAuthnContext
RequestedAuthnContext
is an optional element in a SAML 2.0 AuthnRequest
. AuthnContextClassRef
and AuthnContextDeclRef
are valid sub-elements in RequestedAuthnContext
.
Administrators can control whether PingOne should determine the authentication method based on the RequestedAuthnContext
element. This per-application option, Policy Selection based on RequestedAuthnContext
, is for SAML 2.0 applications only and is disabled by default.
When the option is disabled, PingOne ignores the RequestedAuthnContext
element.
When the option is enabled, PingOne evaluates the RequestedAuthnContext
element as follows:
- RequestedAuthnContext with AuthnContextClassRef and AuthnContextDeclRef elements
-
If both
AuthnContextClassRef
andAuthnContextDeclRef
are found insideRequestedAuthnContext
, PingOne returns an error to the application, according to the SAML 2.0 specification. - RequestedAuthnContext is a match
-
If the application is configured with one or more policies, and if the first
AuthnContextClassRef
element value (or the firstAuthnContextDeclRef
value) is an exact match to one of the configured policies, PingOne invokes that policy.
|
- RequestedAuthnContext is not a match
-
If the application is configured with one or more policies, and if the first
AuthnContextClassRef
element value (or the firstAuthnContextDeclRef
value) is not an exact match to one of the configured policies, PingOne returns an error to the application. - RequestedAuthnContext without a policy
-
If the application is not configured with any policy, and if either
AuthnContextClassRef
orAuthnContextDeclRef
is provided, because the firstAuthnContextClassRef
element value (or the firstAuthnContextDeclRef
value) is never an exact match tono policy
, PingOne returns an error to the application.