X509Internal module and urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport AuthnContextClassRef
cantor.2 at osu.edu
Thu Jun 2 12:37:18 UTC 2022
If you get that context out it's because you told the IdP to support it and to add it into the Subject. When multiple context class Principals are present in the Subject and nothing is requested, which one is expressed is not specified, unless you adjust the shibboleth.AuthenticationPrincipalWeightMap bean to differentiate which ones should outrank others.
X509/X509Internal do not claim to support that context class out of the box, so you either put it there or something else is being done incorrectly.
More information about the users