AuthnContext doesn't match RequestedAuthnContext



Possibility 1:

If preceeded in the log file by: SAML2Utils.isAuthnContextMatching: AuthnContextClassRef urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken is not supported.


sp-extended.xml (spAuthncontextClassrefMapping) and idp-extended.xml (idpAuthncontextClassrefMapping) both have a list of supported 'login tokens'. The token sent from the IDP (usually the first in his list) must be in the list on the SP.

Possibility 2:

Stack trace shows:



It was SP-Initiated SSO where the SP usually requests a specific AuthnContext (either the one marked with "|default" in the sp-extended.xml -> "spAuthncontextClassrefMapping" or in absence of a default value, all of them). However, if the IDP chooses to send a different one than one of the requested ones, this error will occur. The solution is to add the missing one to this property and don't specify a default so that all are requested and acceptable. Another solution is to make sure that all have the same authlevel ("|0") and then use "minimum" as "spAuthncontextComparisonType"; this way, the SP will accept any AuthnContext having the same (or a higher authlevel) than the requested one.