Confusion regarding AuthnContext

[bhaskar jain <bhaskar.jain2002@gmail.com>]

Hello,

   We'll be implementing an identity provider (SAML v2 only)  supporting only http-redirect binding at our side. Users are already authenticated to us through username-password authentication mechanism only. We'll be generating the SAMLResponse, packing it in the html form page and subsequently the user agent will post to the ACS Url specified. So a normal web browser SSO profile.

Confusion prevails over the 'correct' use of saml:AuthnContextClassRef in the SAMLResponse. Based on our user authentication, it should always be 'PasswordProtectedTransport' since we donot have any other authentication mechanisms.But there might be some service provider's with higher requirements and who may discard our SAMLResponse. Some SP's also advertise their requirements in the AuthnContextClassRef in the AuthnRequest itself.

Question is what should we do? Allow this to be configured per SP basis and give to the SP what it expects or always send 'PasswordProtectedTransport'. Are there any real-life SP which donot allow us to configure this field on the SP side. (I would think government applications?)   I have seen some implementations like OpenSSO which allow you to configure it per COT basis. Is it a violation of the SAML standards, when you authenticate using a less secure method and claim to have done using  a 'strong' method.  

What should implementors do in this scenario.  Have you encountered some SP's like this.

Thanks a lot.

--Bhaskar.