You can enable the instance to send an authentication context class request to the
IdP containing your instance's preferred authentication request format.
Before you begin
Role required: sso_config_admin, business_rule_admin, script_include_admin
About this task
If you enable creating an AuthContextClass message, then you must also specify an
authentication context class reference format.
Note: Some IdP's do not
allow the Service Provider to set the authentication context class. Disabling
this setting allows the IdP to choose the authentication context
class.
Procedure
-
From the property Create an AuthnContextClass request in the
AuthnRequest statement, select Yes to
specify a particular context class such as Password Protected Transport, or
select No to have the IdP select the most appropriate
context class.
-
If you selected Yes to Create an
AuthnContextClass request in the AuthnRequest statement, then in
The AuthnContextClassRef method that we will request in our SAML 2.0
AuthnRequest to the Identity Provider property, enter the URN of
the context class you want to use for authentication (see table).
Table 1. AuthnContextClass URN options
| Authentication type |
Authentication context class URN |
| Forms-based authentication |
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport |
| Kerberos-based authentication |
urn:federation:authentication:windows |
By default, the integration uses a Password Protected Transport
authentication method.
-
Click Update.