Hi,
Recently we being an SP, are integrating with an IdP which has got some of the stuff doubtful from spec perspective.
Despite going through the spec and citing the sections, they are interpreting it differently.
Kindly verify my understanding:
1) Can IdP send unspecified(urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified) authnContext, if the Authentication for WebSSO use-case happens using username/password over HTTPS.
As per spec, it says it should send PasswordProtected if its password based authentication over HTTPS. We at SP are looking for PasswordProtected AuthnContext and we fail the assertion.
2)We being an SP also send Required AuthnContext (which is PasswordProtected) in SAMLRequest, in this case, if IdP does not support this AuthnContext,
it should reply with NoAuthContext. But IdP still sends the unspecified AuthnContext.
3)Can unspecified AuthnContext be used for any reason? As per spec it should be used for unspecified means of Authentication.
This IdP is using unspecified for all the case.
They are asking us to not send RequestedAuthnContext which is optional. We being a SP had already integrated with well known IdPs and do not want to do this change
for only this IdP.
--