RE: [saml-dev] Queries on processing AuthnContextClassRef

["Scott Cantor" <cantor.2@osu.edu>]

> 1. What is the order/priority of Authentication Context 
> Classes. I could not find any reference to priority of the 
> classes in the document "saml-authn-context-2.0-os".

The order is not defined by SAML, it's deployment specific. The SAML spec
just provides the hooks for people to interact on the wire.

> 2. How will the IDP communicate to the relying party (in 
> response) what authentication context has been used to 
> authenticate the user.

It's inside the AuthnStatement.

>    a. What if the relying party requests with authentication 
> contexts other then the above and thus is not being supported 
> by the IDP.

If the SP asks for an exact match you don't support, you can't satisfy it.
The point is to deploy such that nonsense doesn't happen.

If you're looking for AC to solve all your problems, you probably won't like
the answer. It's a very complex beast and hasn't been used much to my
knowledge. It was fixed to work a bit better than Liberty's, but wasn't
touched functionally. I would expect a lot of variance in implementations as
to what they can do or not.

-- Scott