Authentication context class reference

The Pointsharp authentication context mapper determines and sets the SAML AuthnContextClassRef using authentication context information, including multi-factor authentication. The mapper supports flexible configuration for different authentication scenarios and integration needs.

Configure authentication context

  1. Open the Pointsharp IdP Admin GUI.

  2. Select the realm you want to configure.

  3. Go to Clients and select your client.

  4. Click the Client scopes tab.

  5. Click the dedicated scope.

  6. Click Configure a new mapper (select add "by configuration" if mappers already exist).

  7. Configure the mapper.

  8. Click Save.

AuthnContextClassRef

Select the default AuthnContextClassRef to set when multi-factor authentication is detected.

Available options

  • urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified (Default)

  • urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

  • urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI

  • urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient

  • urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken

  • urn:federation:authentication:windows

  • http://schemas.microsoft.com/claims/multipleauthn (Microsoft Entra ID Multi-factor)

  • custom (Use custom URI)

Example configuration:

AuthnContextClassRef: http://schemas.microsoft.com/claims/multipleauthn

Custom AuthnContextClassRef

Select Custom to specify a custom AuthnContextClassRef URI.

All custom URIs are validated for security before use.

Examples

# Custom corporate authentication context
urn:company:authentication:mfa
# Custom high assurance level
urn:custom:authentication:high-assurance
# Industry-specific context
urn:healthcare:authentication:pki-smartcard

Force authentication context

Forces the use of the selected AuthnContextClassRef value, regardless of the authentication context. Default: false

This option bypasses all authentication validation. Use with extreme caution in production environments.

Session note mappings

The mapper can be configured to read multiple incoming session notes with specific values, and map to their corresponding AuthnContextClassRef.

The first matching mapping is applied based on priority order from top to bottom.

Session note mapping options

  • Dynamic Addition: Allows session notes to be added automatically during authentication. Use the "+" button to create additional mappings.

  • Dynamic Removal: Allows session notes to be removed during authentication. Use the "-" button to remove unwanted session note mappings.

  • Reordering: Drag and drop to change priority order.

  • No Limits: Add as many mappings as needed.

Examples

[+ Add / allow] [- Remove / deny]
SESSIONNOTE=VALUE->AuthnContextClassRef
Basic Authentication Level Mapping
AUTH_LEVEL=high\->urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI
AUTH_LEVEL=medium->urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
MFA Type-Based Mapping
MFA_TYPE=biometric->urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken
MFA_TYPE=smartcard->urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI
MFA_TYPE=mobile->urn:oasis:names:tc:SAML:2.0:ac:classes:TwoFactorMobileAuth
Pointsharp-Specific Mappings
POINTSHARP_AUTH_METHOD=mfa_completed->http://schemas.microsoft.com/claims/multipleauthn
POINTSHARP_DEVICE=mobile->urn:oasis:names:tc:SAML:2.0:ac:classes:TwoFactorMobileAuth

Custom session note

Single custom session note name for legacy MFA detection.

Examples

# Standard MFA completion indicator
MFA_COMPLETED
# Custom authentication marker
CUSTOM_AUTH_COMPLETE
# Pointsharp-specific note
POINTSHARP_MFA_STATUS

Configuration scenarios

Microsoft Entra ID Integration

Integrate with Microsoft Entra ID using their multipleauthn context.

Configuration

AuthnContextClassRef: http://schemas.microsoft.com/claims/multipleauthn
Force Authentication Context: ☐ Disabled
Session Note Mappings: (empty)
Custom Session Note: (empty)

LoA level

Force a specific LoA level in the Authentication context.

Configuration

AuthnContextClassRef: http://id.swedenconnect.se/ec/sc/uncertified-loa3
Force Authentication Context: ☐ Enabled
Session Note Mappings: (empty)
Custom Session Note: (empty)

Custom mapper

Set Authentication Context Class Reference (ACR) based on session notes set by custom mapper.

Configuration

AuthnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
Force Authentication Context: ☐ Disabled
Session Note Mappings:
 [+] CUSTOM_NOTE1=mobile->urn:oasis:names:tc:SAML:2.0:ac:classes:TwoFactorMobileAuth
 [+] CUSTOM_NOTE2=desktop->urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Custom Session Note: (empty)

Processing logic

  1. Force Authentication Context: If enabled, uses configured default (highest priority).

  2. Session Note Mappings: Checks configured mappings for exact matches.

  3. Custom Session Note: Checks single custom session note for MFA indication.

  4. Standard MFA Detection: Uses Pointsharp IdP’s standard MFA detection methods.

  5. Default Fallback: Uses default AuthnContextClassRef if nothing matches.