Overview#

Authentication Context Class is used to convey to the Service Provider additional information in determining the Level Of Assurance for an Authentication request.Authentication Context Class permits the augmentation of Assertions with additional information pertaining to the authentication of the Principal at the Identity Provider (IDP).If a Relying Party is to rely on the authentication of a principal by an Identity Provider (IDP), the Relying Party may require information additional to the assertion itself in order to assess the level of Assurance they can place in that assertion. The Authentication Context Class concept is for the Identity Provider (IDP) to provide to the Relying Party this additional information. Authentication Context Class is defined in SAML[1] and OpenID Connect[2]Authentication Context Class specifies a set of Policies that authentications are being requested to satisfy. These Policies can often be satisfied by using a number of different specific Authentication Context Class, either singly or in combination.

OpenID Connect#

Authentication Context Class is a Set of Authentication Methods or Authentication procedures that are considered to be equivalent to each other in a particular context.

The Authentication Context Class Reference (acr) are defined in as a response parameter for the Identity Token.

acr, acr_values, default_acr_values and acr_values_supported#

Each of these Authentication Context Class Values should be in agreement and all parties should agree on which values will be used.

• acr_values_supported - populated in OpenID Connect Discovery for the Identity Provider (IDP)
• acr - Authorization Server as a Claim value returned in the Identity Token
• acr_values - request by the OAuth Client in the Authentication Request
• default_acr_values - populated by the OAuth Client in OAuth 2.0 Client Registration

Authentication Context Class Values#

Authentication Context Class Values we have been able to find.

Security Assertion Markup Language (SAML)#

Authentication Context Class are defined in section 3.4 of the Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0 Specification[1] in XML Schema documents.

Only a subset of the Authentication Context Classes defined in this specification is supported by ADFS 2.0.

More Information#

There might be more information for this subject on one of the following:

• Authentication Context Class Reference
• Authentication Context Class Values
• Authentication Context Class vs Authentication Method Reference
• Authentication Method
• Authentication Method Reference
• WebAuthn Attestation
• Windows Logon Types

---

• [#1] - Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0 - based on information obtained 2005-04-10