<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Customization of session.amr Dynamic Authentication Context to Send Only One Value
Mar 25, 2025
Single Sign-On
Okta Classic Engine
Okta Identity Engine
Overview

In specific scenarios, sending a single-value authentication context rather than a multi-value context may be necessary to meet application requirements. This article will explore whether the session.amr variable's default multi-value behavior can be altered.

Applies To
  • Single Sign-On
  • Dynamic Authentication Context
  • session.amr
Solution

As per RFC8176, it is expected behavior to include specific authentication methods when mfa is present. The session.amr variable's default multi-value behavior can not be altered.

 

For example, when using a password with Okta Verify as a second factor, the following multi-value context will be seen in the attribute statement:

<saml:Attribute Name="amr" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml:AttributeValue xsi:type="xs:string">pwd</saml:AttributeValue>
    <saml:AttributeValue xsi:type="xs:string">mfa</saml:AttributeValue>
    <saml:AttributeValue xsi:type="xs:string">swk</saml:AttributeValue>
</saml:Attribute>

Recommended content

Still looking for help?
Loading
Customization of session.amr Dynamic Authentication Context to Send Only One Value