Open
Description
Even if a SP made a AuthnRequest with a proper AuthnContext as follow
<samlp:RequestedAuthnContext Comparison="minimum">
<saml:AuthnContextClassRef>
that-policy
</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
if the IDP succesfully reply with a Response with an absent, unvalued, malformed AuthnContext the SP takes the Response as good. Here some example of those invalid assertions in pysaml2 Responses:
<saml:AuthnContext>
<saml:AuthnContextClassRef>
something-different
</saml:AuthnContextClassRef>
</saml:AuthnContext>
I wonder if it was not the case to consider a list of valid AuthnContexts on which to apply the internal policy to an SP