Example 1: AuthnContextClassRef based on SAML_AUTHN_CTX

To send AuthnContextClassRef based on the SAML_AUTHN_CTX attribute from your PingFederate authentication policy, use the following expression:
#req = #AuthnRequestDocument.getAuthnRequest(),
#newctx = #ChainedAttributes.get("SAML_AUTHN_CTX"),
#newctx && (
#req.isSetRequestedAuthnContext() && #req.unsetRequestedAuthnContext(),
#ctx = #req.addNewRequestedAuthnContext(),
#ctx.addAuthnContextClassRef(#newctx.toString())
)

In this example, the value of the SAML_AUTHN_CTX attribute is "Password" and the expression sends the following:

<AuthnRequest Version="2.0" ID="gjmkj6OVk9tVhd1kvno63j92pqb" IssueInstant="2021-05-11T21:36:42.953Z" xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:urn="urn:oasis:names:tc:SAML:2.0:assertion">
 <urn:Issuer>localhost:default:entityId</urn:Issuer>
 <urn:Subject>
  <urn:NameID>rsa@demo.com</urn:NameID>
 </urn:Subject>
 <NameIDPolicy AllowCreate="true"/>
 <RequestedAuthnContext>     
  <urn:AuthnContextClassRef>Password</urn:AuthnContextClassRef>
 </RequestedAuthnContext>
</AuthnRequest>

Example 2: AuthnContextClassRef based on SP entity ID

To send AuthnContextClassRef based on the service provider (SP) entity ID, use the following expression:
#Salesforce = "salesforceSPConnection", // this would be the target
#req = #AuthnRequestDocument.getAuthnRequest(),

#newctx = #Salesforce == #FedHubSpConnPartnerId ? "urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup:PingFed_Lev_Low": null,
#newctx && (
#req.isSetRequestedAuthnContext() && #req.unsetRequestedAuthnContext(),
#ctx = #req.addNewRequestedAuthnContext(),
#ctx.addAuthnContextClassRef(#newctx.toString())
)

In this example, the SP connection used is Salesforce. The value urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup:PingFed_Lev_Low is sent as the AuthnContextClassRef. #FedHubSpConnPartnerId is the SP entity ID.

Tip: For other variables, see Message types and available variables in the PingFederate documentation.

The expression sends the following:

<AuthnRequest Version="2.0" ID="gjmkj6OVk9tVhd1kvno63j92pqb" IssueInstant="2021-05-11T21:36:42.953Z" xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:urn="urn:oasis:names:tc:SAML:2.0:assertion">
 <urn:Issuer>localhost:default:entityId</urn:Issuer>
 <urn:Subject>
  <urn:NameID>rsa@demo.com</urn:NameID>
 </urn:Subject>
 <NameIDPolicy AllowCreate="true"/>
 <RequestedAuthnContext>
  <urn:AuthnContextClassRef>urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup:PingFed    
  _Lev_Low</urn:AuthnContextClassRef>
 </RequestedAuthnContext>
</AuthnRequest>