RequestedAuthenticationContext.References Property


Gets a collection that contains an ordered list of URIs that reference acceptable authentication context classes. [SamlCore,]

Namespace:   Microsoft.IdentityServer.Protocols.Saml
Assembly:  Microsoft.IdentityServer (in Microsoft.IdentityServer.dll)


public Collection<Uri> References { get; }
property Collection<Uri^>^ References {
    Collection<Uri^>^ get();
member References : Collection<Uri> with get
Public ReadOnly Property References As Collection(Of Uri)

Property Value

Type: System.Collections.ObjectModel.Collection<Uri>

A Collection<T> of Uri that contains the authentication context classes. The default is an empty collection.


The SAML authentication context classes are defined in section 3.4 of the Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0 Specification ( Only a subset of the authentication context classes defined by this specification is supported by Active Directory® Federation Services (AD FS) 2.0. For more information about the supported context classes, see Supported SAML Authentication Context Classes and Strengths.

During IdP-initiated sign-on, if the IdentityProviderInitiatedSignonPage.SignIn method is called with a SignOnRequestParameters object that has its RequestedAuthenticationContext property set to a non-null value, AD FS 2.0 attempts to authenticate the user using an authentication method based on the authentication context classes supplied in the References property, the comparison rule supplied in the Comparison property, and the current Authentication Context Order settings. For more information about the Authentication Context Order settings, see Supported SAML Authentication Context Classes and Strengths.

You can add one or more of the supported authentication context class URIs to the References collection to specify the desired methods of authentication. AD FS 2.0 evaluates the context classes in the order in which they are specified in the References collection; however, in cases in which AD FS 2.0 evaluates the requested authentication context against the configured authentication handlers (for example when the SignOnRequestParameters.ForceAuthentication property is true), it evaluates the handlers in the order in which they are configured in web.config. This means that the order in which the handlers are configured may take precedence over the order in which context classes are specified in the References property in determining the method to use to authenticate the user.

For more information about how to use the RequestedAuthenticationContext class including code samples, see IdpInitiatedSignOnPage Class Overview


If the References collection is empty, an exception will occur during serialization. You must add at least one authentication context class URI to the References collection.

See Also

RequestedAuthenticationContext Class
Microsoft.IdentityServer.Protocols.Saml Namespace
IdpInitiatedSignOnPage Class Overview
Supported SAML Authentication Context Classes and Strengths

Return to top