In WSO2IS v4.6.0, the AuthnContextClassRef value is hardcoded to urn:oasis:names:tc:SAML:2.0:ac:classes:Password. In fact, the SAML SSO endpoint actually authenticates users via HTTPS by default and the AuthnContextClassRef value in this case should be urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport.
What's the best way to correct this or get this issue on WSO2's radar?
I've created a JIRA ticket for this issue: https://wso2.org/jira/browse/IDENTITY-2585
While waiting for an offical fix, you can override their DefaultSAML2SSOManager by specifiing your own class in repository/conf/security/application-authentication.xml with:
Parameter name="SAML2SSOManager">my.version.of.SAML2SSOManager
I use a slightly modified version of their DefaultSAML2SSOManager and am able to connect to our IDP.
