...
The requested LoA is seen as a minimum LoA. The Strong Authentication gateway The SURFsecureID gateway can perform authentication at a higher LoA, in which case the higher level will be expressed in the returned SAML Assertion.
The requested LoA is passed to the Strong Authentication gateway the SURFsecureID gateway in an AuthnContextClassRef element in a RequestedAuthnContext element in the SAML AuthnRequest:
...
Authentication failure
When authentication fails, it is generally because the user:
...