This selector chooses authentication sources or selectors based on the authentication contexts requested by a service provider (SP)) for browser single sign-on (SSO) requests, or a relying party (RP) for OAuth with OpenID Connect (OIDC) use cases in authentication policies.

For browser SSO, this authentication selector works in conjunction with SP connections with SAML 2.0 only, using the SP-initiated SSO profile. Other browser SSO protocols do not support authentication context. For OAuth, clients supporting the OIDC protocol must include the optional acr_values parameter in their authorization requests to indicate their preferred authentication context, or contexts.

  1. Go to Authentication > Policies > Selectors to open the Selectors window.
  2. On the Selectors window, click Create New Instance to start the Create Authentication Selector Instance workflow.
  3. On the Type tab, configure the basics of this authentication selector instance.
  4. On the Authentication Selector tab, configure the applicable selector instance settings:
    1. Select the Add or Update AuthN Context Attribute check box if you want to update the authentication context attribute value with the value specified in the Selector Result Values tab.

      When selected, which is the default, the check box on this window provides a means to:

      • Add the value of the authentication context determined by the selector into the SAML assertion.
      • When applicable, replace any value returned from the associated adapter instance with the selector result value.
    2. Optional: Select the Override AuthN Context for Flow check box to allow the authentication selector result value to override the authentication context value for the entire policy flow.
      Note:

      This check box is only available when the Add or Update AuthN Context Attribute check box is selected.

      When selected, which is the default for fresh installations, the selector result will determine the authentication context value for the entire flow and override any subsequently invoked authentication sources and their authentication context values. This authentication selector result value takes precedence and determines the authorization context in the outgoing assertion or ID token.

    3. Optional: Enable policy paths to handle additional scenarios.

      For more information, refer to the following table.

      Field Description

      Enable 'No Match' Result Value

      Selector evaluation fails and the next applicable authentication policy is executed if the requested authentication context does not match any of the configured selector result values.

      Select this check box if you want to enable a policy path to handle this scenario. This check box is not selected by default.

      Enable 'Not in Request' Result Value

      Selector evaluation fails and the next applicable authentication policy is executed if no requested authentication context is found.

      Select this check box if you want to enable a policy path to handle this scenario. This check box is not selected by default.
  5. In the Selector Result Values window, specify the authentication contexts to use as the criteria:
    1. Enter the exact, case-sensitive parameter value under Result Values, and then click Add.
      Note:

      The value can include URIs defined in Authentication Context for the OASIS Security Assertion Markup Language (SAML) 2.0 or any other value agreed upon with the partner.

    2. Optional: Add more values to differentiate criteria for authentication selection.

      Display order does not matter.

      Each selector result value forms a policy path when you place this selector instance as a checkpoint in an authentication policy (regardless of whether you have enabled the No Match or Not in Request policy path in step 4b).

      Use the Edit, Update, and Cancel workflow to make or undo a change to an existing entry. Click Delete to remove an entry.

  6. Complete the configuration.
    1. On the Summary tab, click Done.
    2. On the Selectors window, click Save.