SAML 2.0 Requirements for Service Providers - Supported RequestedAuthnContext Examples
The following examples are based on the Authentication page configuration for the service provider in the Cloud Administration Console.
Service Provider Manages Primary Authentication and SecurID Manages Additional Authentication
The following are examples of supported RequestedAuthContextClassRef values for a service provider configured with the Service provider manages primary authentication, and SecurID manages additional authentication option in the Cloud Administration Console.
If you select the SP signs SAML request option in the Connection Profile page, you also must upload the service provider certificate on that page. RSA recommends signing requests when the request overrides the Cloud Administration Console configuration for the service provider.
| AuthnContextClassRef Value | Primary Authentication | Policy | Assurance Level |
|---|---|---|---|
(Omitted) urn:oasis:names:tc:SAML:2.0:ac:classes:Password urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport urn:rsa:names:tc:SAML:2.0:ac:classes:spec:: urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup: | Managed by service provider | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:level:<Level> | N/A | High, Medium, or Low | |
urn:rsa:names:tc:SAML:2.0:ac:classes:spec::<Policy> urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup:<Policy> | Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. | N/A | |
Request is rejected because values are not supported:
| |||
SecurID Manages All Authentication and Primary Authentication is Password, SecurID, FIDO, or Performed by Cloud Identity Provider
The following are examples of supported RequestedAuthContextClassRef values for a service provider configured with the SecurID manages all authentication option in the Cloud Administration Console and a primary authentication method of Password, SecurID, FIDO, or Performed by Cloud Identity Provider.
If you select the SP signs SAML request option in the Connection Profile page, you also must upload the service provider certificate on that page. RSA recommends signing requests when the request overrides the Cloud Administration Console configuration for the service provider.
| AuthnContextClassRef Value | Primary Authentication | Policy | Assurance Level |
|---|---|---|---|
(Omitted) urn:oasis:names:tc:SAML:2.0:ac:classes:Password urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport urn:rsa:names:tc:SAML:2.0:ac:classes:spec:: urn:rsa:names:tc:SAML:2.0:ac:classes:spec:primary: | Primary authentication method assigned to service provider in the Cloud Administration Console | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:level:<Level> | None | N/A | High, Medium, or Low |
urn:rsa:names:tc:SAML:2.0:ac:classes:spec::<Policy> urn:rsa:names:tc:SAML:2.0:ac:classes:spec:primary:<Policy> | Primary authentication method assigned to service provider in the Cloud Administration Console | Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup: | None | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup:<Policy> | None | Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. | N/A |
Request is rejected because values are not supported: Any other value. | |||
SecurID Manages All Authentication and Primary Authentication is Determined by Service Provider at Run Time
The following are examples of supported RequestedAuthContextClassRef values for a service provider configured with the SecurID manages all authentication option in the Cloud Administration Console and a primary authentication method of Determined by Service Provider at Run Time.
To use this primary authentication option, the service provider must sign the request, and you must upload the service provider certificate on the Connection Profile page.
| AuthnContextClassRef Value | Primary Authentication | Policy | Assurance Level |
|---|---|---|---|
urn:oasis:names:tc:SAML:2.0:ac:classes:Password urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport urn:rsa:names:tc:SAML:2.0:ac:classes:spec:password: | Password | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:level:<Level> | None | N/A | High, Medium, or Low |
urn:rsa:names:tc:SAML:2.0:ac:classes:spec:password:<Policy> | Password | Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:securid: | SecurID | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:securid:<Policy> | SecurID | Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:fido: | FIDO | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:fido:<Policy> | FIDO | Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:: | None | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec::<Policy> | None | Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. | N/A |
Request is rejected because values are not supported:
| |||
For more information, see the following topics:
Related Articles
SAML 2.0 Requirements for Service Providers - Metadata Number of Views SAML 2.0 Requirements for Service Providers Number of Views SAML 2.0 Requirements for Service Providers - AuthnRequest Number of Views SAML 2.0 Requirements for Service Providers - Response and Assertion Number of Views Set Requirements for Security Questions Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.9 Release Notes (January 2026) An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
