SAML 2.0 Requirements for Service Providers - Supported RequestedAuthnContext Examples
The following examples are based on the Authentication page configuration for the service provider in the Cloud Administration Console.
Service Provider Manages Primary Authentication and SecurID Manages Additional Authentication
The following are examples of supported RequestedAuthContextClassRef values for a service provider configured with the Service provider manages primary authentication, and SecurID manages additional authentication option in the Cloud Administration Console.
If you select the SP signs SAML request option in the Connection Profile page, you also must upload the service provider certificate on that page. RSA recommends signing requests when the request overrides the Cloud Administration Console configuration for the service provider.
| AuthnContextClassRef Value | Primary Authentication | Policy | Assurance Level |
|---|---|---|---|
(Omitted) urn:oasis:names:tc:SAML:2.0:ac:classes:Password urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport urn:rsa:names:tc:SAML:2.0:ac:classes:spec:: urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup: | Managed by service provider | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:level:<Level> | N/A | High, Medium, or Low | |
urn:rsa:names:tc:SAML:2.0:ac:classes:spec::<Policy> urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup:<Policy> | Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. | N/A | |
Request is rejected because values are not supported:
| |||
SecurID Manages All Authentication and Primary Authentication is Password, SecurID, FIDO, or Performed by Cloud Identity Provider
The following are examples of supported RequestedAuthContextClassRef values for a service provider configured with the SecurID manages all authentication option in the Cloud Administration Console and a primary authentication method of Password, SecurID, FIDO, or Performed by Cloud Identity Provider.
If you select the SP signs SAML request option in the Connection Profile page, you also must upload the service provider certificate on that page. RSA recommends signing requests when the request overrides the Cloud Administration Console configuration for the service provider.
| AuthnContextClassRef Value | Primary Authentication | Policy | Assurance Level |
|---|---|---|---|
(Omitted) urn:oasis:names:tc:SAML:2.0:ac:classes:Password urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport urn:rsa:names:tc:SAML:2.0:ac:classes:spec:: urn:rsa:names:tc:SAML:2.0:ac:classes:spec:primary: | Primary authentication method assigned to service provider in the Cloud Administration Console | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:level:<Level> | None | N/A | High, Medium, or Low |
urn:rsa:names:tc:SAML:2.0:ac:classes:spec::<Policy> urn:rsa:names:tc:SAML:2.0:ac:classes:spec:primary:<Policy> | Primary authentication method assigned to service provider in the Cloud Administration Console | Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup: | None | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup:<Policy> | None | Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. | N/A |
Request is rejected because values are not supported: Any other value. | |||
SecurID Manages All Authentication and Primary Authentication is Determined by Service Provider at Run Time
The following are examples of supported RequestedAuthContextClassRef values for a service provider configured with the SecurID manages all authentication option in the Cloud Administration Console and a primary authentication method of Determined by Service Provider at Run Time.
To use this primary authentication option, the service provider must sign the request, and you must upload the service provider certificate on the Connection Profile page.
| AuthnContextClassRef Value | Primary Authentication | Policy | Assurance Level |
|---|---|---|---|
urn:oasis:names:tc:SAML:2.0:ac:classes:Password urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport urn:rsa:names:tc:SAML:2.0:ac:classes:spec:password: | Password | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:level:<Level> | None | N/A | High, Medium, or Low |
urn:rsa:names:tc:SAML:2.0:ac:classes:spec:password:<Policy> | Password | Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:securid: | SecurID | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:securid:<Policy> | SecurID | Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:fido: | FIDO | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:fido:<Policy> | FIDO | Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:: | None | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec::<Policy> | None | Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. | N/A |
Request is rejected because values are not supported:
| |||
For more information, see the following topics:
Related Articles
SAML 2.0 Requirements for Service Providers - Metadata Number of Views SAML 2.0 Requirements for Service Providers Number of Views SAML 2.0 Requirements for Service Providers - AuthnRequest Number of Views SAML 2.0 Requirements for Service Providers - Response and Assertion Number of Views Error: Error 'Socket Closed exception in RSA Federated Identity Manager (FIM) 2.5' Number of Views
Trending Articles
Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures RSA SecurID Software Token 5.0.2 Downloads for Microsoft Windows RSA Authentication Manager 8.9 Release Notes (January 2026) Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.8 Setup and Configuration Guide
