--- title: RequestedAuthnContext description: RequestedAuthnContext is an optional element in a SAML 2.0 AuthnRequest. AuthnContextClassRef and AuthnContextDeclRef are valid sub-elements in RequestedAuthnContext. component: pingone page_id: pingone:applications:p1_requestedauthncontext canonical_url: https://docs.pingidentity.com/pingone/applications/p1_requestedauthncontext.html revdate: October 16, 2023 section_ids: related-links: Related links --- # RequestedAuthnContext `RequestedAuthnContext` is an optional element in a SAML 2.0 `AuthnRequest`. `AuthnContextClassRef` and `AuthnContextDeclRef` are valid sub-elements in `RequestedAuthnContext`. Administrators can control whether PingOne should determine the authentication method based on the `RequestedAuthnContext` element. This per-application option, `Policy Selection based on RequestedAuthnContext`, is for SAML 2.0 applications only and is disabled by default. When the option is disabled, PingOne ignores the `RequestedAuthnContext` element. When the option is enabled, PingOne evaluates the `RequestedAuthnContext` element as follows: * RequestedAuthnContext with AuthnContextClassRef and AuthnContextDeclRef elements If both `AuthnContextClassRef` and `AuthnContextDeclRef` are found inside `RequestedAuthnContext`, PingOne returns an error to the application, according to the SAML 2.0 specification. * RequestedAuthnContext is a match If the application is configured with one or more policies, and if the first `AuthnContextClassRef` element value (or the first `AuthnContextDeclRef` value) is an exact match to one of the configured policies, PingOne invokes that policy. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | - For a PingOne policy, the element value must match the policy name exactly. - For a DaVinci policy, the element value must match the policy ID exactly. - PingOne ignores the second and any subsequent element values. | * RequestedAuthnContext is not a match If the application is configured with one or more policies, and if the first `AuthnContextClassRef` element value (or the first `AuthnContextDeclRef` value) is not an exact match to one of the configured policies, PingOne returns an error to the application. * RequestedAuthnContext without a policy If the application is not configured with any policy, and if either `AuthnContextClassRef` or `AuthnContextDeclRef` is provided, because the first `AuthnContextClassRef` element value (or the first `AuthnContextDeclRef` value) is never an exact match to `no policy`, PingOne returns an error to the application. ## Related links * [Editing an application - SAML](p1_edit_application_saml.html)