AuthnContext mismatch to RequestAuthnContext
14.6.1. AuthnContext doesn't match RequestedAuthnContext

Exception:

com.sun.identity.saml2.common.SAML2Exception

Possibility 1:

If preceeded in the log file by: SAML2Utils.isAuthnContextMatching: AuthnContextClassRef urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken is not supported.

Reason:

sp-extended.xml (spAuthncontextClassrefMapping) and idp-extended.xml (idpAuthncontextClassrefMapping) both have a list of supported 'login tokens'. The token sent from the IDP (usually the first in his list) must be in the list on the SP.

Possibility 2:

Stack trace shows:

com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper.getAuthLevel(...)

Reason:

It was SP-Initiated SSO where the SP usually requests a specific AuthnContext (either the one marked with "|default" in the sp-extended.xml -> "spAuthncontextClassrefMapping" or in absence of a default value, all of them). However, if the IDP chooses to send a different one than one of the requested ones, this error will occur. The solution is to add the missing one to this property and don't specify a default so that all are requested and acceptable. Another solution is to make sure that all have the same authlevel ("|0") and then use "minimum" as "spAuthncontextComparisonType"; this way, the SP will accept any AuthnContext having the same (or a higher authlevel) than the requested one.