RequestedAuthnContext is an optional element in a SAML 2.0 AuthnRequest. AuthnContextClassRef and AuthnContextDeclRef are valid sub-elements in RequestedAuthnContext.
Administrators can control whether PingOne should determine the authentication method based on the RequestedAuthnContext element. This per-application option, Policy Selection based on RequestedAuthnContext, is for SAML 2.0 applications only and is disabled by default.
When the option is disabled, PingOne ignores the RequestedAuthnContext element.
- RequestedAuthnContext with AuthnContextClassRef and AuthnContextDeclRef elements
- If both AuthnContextClassRef and AuthnContextDeclRef are found inside RequestedAuthnContext, PingOne returns an error to the application, according to the SAML 2.0 specification.
- RequestedAuthnContext is a match
- If the application is configured with one or more policies, and if the first
AuthnContextClassRef element value (or the first
AuthnContextDeclRef value) is an exact match to one
of the configured policies, PingOne invokes that policy. Note:
-
For a PingOne policy, the element value must match the policy name exactly.
-
For a DaVinci policy, the element value must match the policy ID exactly.
-
PingOne ignores the second and any subsequent element values.
-
- RequestedAuthnContext is not a match
- If the application is configured with one or more policies, and if the first AuthnContextClassRef element value (or the first AuthnContextDeclRef value) is not an exact match to one of the configured policies, PingOne returns an error to the application.
- RequestedAuthnContext without a policy
- If the application is not configured with any policy, and if either
AuthnContextClassRef or
AuthnContextDeclRef is provided, because the first
AuthnContextClassRef element value (or the first
AuthnContextDeclRef value) is never an exact match
to
no policy, PingOne returns an error to the application.