SAML 2.0 Requirements for Service Providers - Supported RequestedAuthnContext Examples
The following examples are based on the Authentication page configuration for the service provider in the Cloud Administration Console.
Service Provider Manages Primary Authentication and SecurID Manages Additional Authentication
The following are examples of supported RequestedAuthContextClassRef values for a service provider configured with the Service provider manages primary authentication, and SecurID manages additional authentication option in the Cloud Administration Console.
If you select the SP signs SAML request option in the Connection Profile page, you also must upload the service provider certificate on that page. RSA recommends signing requests when the request overrides the Cloud Administration Console configuration for the service provider.
| AuthnContextClassRef Value | Primary Authentication | Policy | Assurance Level |
|---|---|---|---|
(Omitted) urn:oasis:names:tc:SAML:2.0:ac:classes:Password urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport urn:rsa:names:tc:SAML:2.0:ac:classes:spec:: urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup: | Managed by service provider | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:level:<Level> | N/A | High, Medium, or Low | |
urn:rsa:names:tc:SAML:2.0:ac:classes:spec::<Policy> urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup:<Policy> | Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. | N/A | |
Request is rejected because values are not supported:
| |||
SecurID Manages All Authentication and Primary Authentication is Password, SecurID, FIDO, or Performed by Cloud Identity Provider
The following are examples of supported RequestedAuthContextClassRef values for a service provider configured with the SecurID manages all authentication option in the Cloud Administration Console and a primary authentication method of Password, SecurID, FIDO, or Performed by Cloud Identity Provider.
If you select the SP signs SAML request option in the Connection Profile page, you also must upload the service provider certificate on that page. RSA recommends signing requests when the request overrides the Cloud Administration Console configuration for the service provider.
| AuthnContextClassRef Value | Primary Authentication | Policy | Assurance Level |
|---|---|---|---|
(Omitted) urn:oasis:names:tc:SAML:2.0:ac:classes:Password urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport urn:rsa:names:tc:SAML:2.0:ac:classes:spec:: urn:rsa:names:tc:SAML:2.0:ac:classes:spec:primary: | Primary authentication method assigned to service provider in the Cloud Administration Console | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:level:<Level> | None | N/A | High, Medium, or Low |
urn:rsa:names:tc:SAML:2.0:ac:classes:spec::<Policy> urn:rsa:names:tc:SAML:2.0:ac:classes:spec:primary:<Policy> | Primary authentication method assigned to service provider in the Cloud Administration Console | Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup: | None | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup:<Policy> | None | Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. | N/A |
Request is rejected because values are not supported: Any other value. | |||
SecurID Manages All Authentication and Primary Authentication is Determined by Service Provider at Run Time
The following are examples of supported RequestedAuthContextClassRef values for a service provider configured with the SecurID manages all authentication option in the Cloud Administration Console and a primary authentication method of Determined by Service Provider at Run Time.
To use this primary authentication option, the service provider must sign the request, and you must upload the service provider certificate on the Connection Profile page.
| AuthnContextClassRef Value | Primary Authentication | Policy | Assurance Level |
|---|---|---|---|
urn:oasis:names:tc:SAML:2.0:ac:classes:Password urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport urn:rsa:names:tc:SAML:2.0:ac:classes:spec:password: | Password | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:level:<Level> | None | N/A | High, Medium, or Low |
urn:rsa:names:tc:SAML:2.0:ac:classes:spec:password:<Policy> | Password | Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:securid: | SecurID | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:securid:<Policy> | SecurID | Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:fido: | FIDO | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:fido:<Policy> | FIDO | Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:: | None | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec::<Policy> | None | Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. | N/A |
Request is rejected because values are not supported:
| |||
For more information, see the following topics:
Related Articles
Configure Shipping Addresses for Hardware Authenticators Number of Views OATH HOTP Hardware Authenticators Number of Views Cloud Administration Delete Hardware Token API Number of Views RSA Hardware Authenticators Number of Views Registering RSA SID 700 hardware tokens in Microsoft Entra ID Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Release Notes for RSA Authentication Manager 8.8 RSA Authentication Manager 8.9 Release Notes (January 2026) Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU Disabling weak ciphers using port 1813 in RSA Authentication Manager 8.3 patch 1
