Odd SP behavior re authn context

[mat houser]

Hello list,

We're currently in the process of preparing to deploy our IdP as a proxy
to AzureAD, and so far almost everything seems fine except one specific
SP that is behaving strangely.

In the authn request it's requesting this:

     <saml2p:RequestedAuthnContext Comparison="better">
         <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
     </saml2p:RequestedAuthnContext>

In the response I'm seeing this:

     <saml2:AuthnContext>
         <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
         <saml2:AuthenticatingAuthority>https://sts.windows.net/0bca7ac3-fcb6-4efd-89eb-6de97603cf21/</saml2:AuthenticatingAuthority>
     </saml2:AuthnContext>

But the SP presents an error that there is no authn context:

     <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
         <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext" />
     </saml2p:StatusCode>

Other SPs that require specific authn contexts, notably the MFA
context, are behaving correctly, as are SPs that do not appear to be
requiring any.

I guess the question is if requiring "better than unspecified" has any
real purpose or meaning, and if so how to go about satisfying that
condition, or should I try to find out who is running the SP and ask
them to stop doing that?

Additionally since this seems like weird SP behavior, is there any way
of seeing if any other SPs are doing this? It doesn't appear to be
logged on the IdP, at least not at the current log level, and I'm only
seeing the request condition in SAML Tracer.

Many thanks,
   -Mat

-- 
-------------
mat:houser
mhouser at uwm.edu
uwm:uits:iam-support
-------------