I know AuthnContext is an optional part of the SAMLResponse.
Confusion prevails over the 'correct' use of saml:AuthnContextClassRef in the SAMLResponse. Based on our user authentication, it should always be 'PasswordProtectedTransport' since we donot have any other authentication mechanisms.But there might be some service provider's with higher requirements and who may discard our SAMLResponse. Some SP's also advertise their requirements in the AuthnContextClassRef in the AuthnRequest itself.
Question is what should we do? Allow this to be configured per SP basis and give to the SP what it expects or always send 'PasswordProtectedTransport'. Are there any real-life SP which donot allow us to configure this field on the SP side. (I would think government applications?) I have seen some implementations like OpenSSO which allow you to configure it per COT basis. Is it a violation of the SAML standards, when you authenticate using a less secure method and claim to have done using a 'strong' method.
What should implementors do in this scenario. Have you encountered some SP's like this.