Description
Working on multi-factor login, I have observed that Satosa is handling requests for missing authentication context classes wrongly. If an SP asks for the authentication context class https://refeds.org/mfa, the user logs in and the authentication context class reference urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified is returned.
In the SAML2 specification SAML 2.0 Protocol Extension for Requested Authentication Context it's defined that IdP should return SAML error if the IdP or the user that logs in can't satisfy the request. Or, as it says in the specification:
If the responder is unable to satisfy the specified Authentication Context then the responder MUST return a
<Response>message with a second-level<StatusCode>ofurn:oasis:names:tc:SAML:2.0:protocol:NoAuthnContext.
(created on behalf of Pal; thanks for letting me know)