We have multiple LAG clusters using the same IDP Clusters.

One Cluster si for the home office and is in xyz.com domain.

The other is for a specifc group and is abc.xyz.com domain.

We are using SAML federaiton with WebEX and it works well when we
authenticate from the xyz.com.

However, when we authenitcate first from the abc.xyz.com domain the
saml assertion fails.

We see the following differences in the SAML assertion:

When we go to the site direct, or if we have autheticated form yhr
xyz.com, the AuthnContextClassRef is: (Which works)
<saml:AuthnContextClassRef>urnasis:names:tc:SAML:2.0:ac:classes:PasswordProtecte dTransport</saml:AuthnContextClassRef>

When we go abc.xyz.com domain and authenticate and then go the the SP,
we see (Which Fails)

We can set the value on the SP to only one value.
Can some one explain:
How the saml:AuthnContextClassRef values should be used?

Why are they different ?

If we set the value on the SP to:

Does that imply the SP should accept any?


Thank You for your help!

Jim Willeke