Is an authnContextClassRef of "unspecified" the same as "PasswordProtectedTransport" ?

Chad La Joie lajoie at
Fri Jan 27 22:50:30 GMT 2012

"unspecified" means "any that you (the relying party) choose".  So if
the IdP support username/password then it's free to respond with that.

On 1/27/12 5:45 PM, Terry Fleury wrote:
> During my InCommon SP Assurance Use Case testing, I discovered that passing
> authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"
> from SP to IdP resulted in the IdP responding with
> Shib-AuthnContext-Class="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport".
> Is this the expected behavior?
> I thought that if the SP requested a specific authnContextClassRef, the IdP
> had to respond with that same value, or respond with an error if unable to
> fulfill.
> Terry Fleury
> tfleury at
> --
> To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list