Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,297 questions
Passing Custom ACR Values in SAML Attributes
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 0%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Shishir
0
Reputation points
I'm attempting to pass the correct AuthenticationContextClassRef (ACR) values in SAML attributes to an application for access.
I've already:
- Created a new policy and enabled MFA at the application level
- Set authentication strength in Conditional Access for the application
However, I am unable to pass custom ACR values (like timesynctoken or x509) in the SAML response. Even when enforcing the conditional access policy, when I decode the SAML assertion, I still see "password" as the ACR value. I need this value to be changed to "timesync token."
Could someone provide the complete steps for this process to pass a custom value of ACR in SAML attributes?
This question is related to the following Learning Module
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 89%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHE%3C/text%3E%3C/svg%3E)
Harshitha Eligeti 1,695 Reputation points Microsoft Vendor2025-02-18T11:40:35.4266667+00:00 Hi @Shishir
Thank you for reaching out Microsoft Q&A Platform.
I understand that you are attempting to pass custom Authentication Context Class Reference (ACR) values in the SAML response. However, you are unable to pass c to pass custom ACR values such as "timesynctoken" or "x509" in the response. Despite this, the ACR value is still showing as "password." You are trying to modify the value to "timesynctoken."Microsoft Entra ID supports following
AuthnContextClassRefvalues.Please ensure that you attempt to pass the X509 value instead of the timesynctoken.
NOTE: If the
RequestedAuthnContextis included in the SAML request, theComparisonelement must be set toexact.For Additional Information, please follow these documents: https://learn.microsoft.com/en-us/entra/identity-platform/single-sign-on-saml-protocol
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-saml-idp
Hope this helps. Do let us know if you any further queries.
Sign in to comment
Sign in to answer