authncontextclass
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-15-2016 07:24 AM
Hello -
I am trying to figure out how to clear the following errors when I run the "Test Connection"on my SSO properties page.
Error seems to be complaining about the AuthContextClass configuration.
In the the limited discovery that I have done I found this link, but I need some guidance.
Running Hels P3.
Thanks for your review/response,
Brian Ladrido
Penn State Service Management DevOps

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-28-2017 02:19 AM
Thanks Ankur!
I've set the checkbox to false, and wiped out the value in AuthnContextClassRef Method. Still doesn't work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-28-2017 02:24 AM
Hi Sakshi,
Can you mark the checkbox as true and populate the value for AuthContextClass as "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" and check it once.
Regards
Ankur
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-28-2017 02:27 AM
Hi Sakshi,
There is some relevant documentation at the end of this post.
If you are shooting for forms based authentication you should
set Create AuthnContextClass = true
and set AuthnContextClassRef Method urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Then troubleshoot based on the error messages you see with sso debug enabled
If on the other hand you are shooting for windows based authentication based on the user id and password you supplied to authenticate via a windows domain controller
set Create AuthnContextClass = true
and set AuthnContextClassRef Method urn:federation:authentication:windows
Then troubleshoot based on the error messages you see with sso debug enabled
If you would like either, you should test both options as above and then
set Create AuthnContextClass = false and let the IDP decide between the two.
Relevant documentation:
You can enable the instance to send an authentication context class request to the IdP containing your instance's preferred authentication request format.
Before you begin
Role required: admin
About this task
If you enable creating an AuthContextClass message, then you must also specify an authentication context class reference format.
Procedure
- From the property Create an AuthnContextClass request in the AuthnRequest statement, select Yes to specify a particular context class such as Password Protected Transport, or select No to have the IdP select the most appropriate context class.
- If you selected Yes to Create an AuthnContextClass request in the AuthnRequest statement, then in The AuthnContextClassRef method that we will request in our SAML 2.0 AuthnRequest to the Identity Provider property, enter the URN of the context class you want to use for authentication (see table).
By default, the integration uses a Password Protected Transport authentication method.Authentication type Authentication context class URN Forms-based authentication urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Kerberos-based authentication urn:federation:authentication:windows - Click Update.