...
- The SAML standard allows multiple
AuthnContextClassRefelements to be specified in theRequestedAuthnContext. Currenly SURFsecureID will only look at the firstAuthnContextClassRefelement. - Specifying an
AuthnContextClassRefother than one the of the defined authentication levels for SFO will result in an error. - The SAML standard allows a
Comparisionattribute to be added to the theRequestedAuthnContextelement. Currently SURFsecureID does not interpret the value of this attribute and behaves as if"minimum"was specified as value for theComparisonattribute, which is a deviation of the SAML standard which specifies"exact"as the default."minimum"means that the authentication context in the authentication statement that is returned after a successfull successful authentication will either be the requested authentication context, or the the authentication context of a stronger (i.e. higher level) authentication. SURFsecureID currently always returns the authentication context corrsponding to the highst highest level at which the user could be authentictated.
...
An example code for using SFO with SimpleSAMLphp can be found at: https://github.com/SURFnet/Stepup-SFO-demo