Is an authnContextClassRef of "unspecified" the same as "PasswordProtectedTransport" ?

Cantor, Scott cantor.2 at
Sat Jan 28 18:12:41 GMT 2012

> On Fri, Jan 27, 2012 at 5:50 PM, Chad La Joie <lajoie at> wrote:
> > "unspecified" means "any that you (the relying party) choose".
> Chad, can you provide a reference, please? Section of SAML
> Core suggests otherwise.

The NameIDPolicy language is a better indicator of the logical intent behind an unspecified constant in a request. The only reason unspecified was defined as a context class was to address the requirement to have at least a class in every statement. It's the "null" indicator, and should work like the null indicator does in other areas.

Also happens to be a much better result, since it means you don't have to configure the IdP to explicitly handle it ahead of time.

I would hope that including it on the end of a list of other classes with exact matching would favor one of the others and then fall into picking one at random if that doesn't work. That's pretty much the best possible result for such a use case.

-- Scott

More information about the users mailing list