‘acr_values’ Parameter Support on the Authorization Endpoint

The OpenID Connect Core specification defines the optional acr_values parameter on the authentication endpoint as:

“‘acr_values’ : OPTIONAL. Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a Voluntary Claim by this parameter.”

Source: OpenID Connect Core specification - section 3.1.2.1

With this parameter, the authentication method(s) prompted by the ActivID AS server IdP will be filtered by the acr values presented in the parameter. Only the authentication policies which correspond the acr/LoA values in this parameter will be proposed.

For example, when sending the following request:

https://server.example.com:8445/idp/domain/authn/login?response_type=code&client_id=spl-api&redirect_uri=http://localhost&scope=openid%20profile

The ActivID AS server displays the following screen:

If you add the acr_values parameter as follows:

https://server.example.com:8445/idp/domain/authn/login?response_type=code&client_id=spl-api&redirect_uri=http://localhost&scope=openid%20profile&acr_values=2%203

The ActivID AS server will display a login page with only the authentication methods which with the acr/LoA value 2 or 3. The authentication methods that do not correspond will be filtered.