authncontexclassref question


We have a SP that's have one Saml2 federation with our IDP but have both a webb app and a mobil app using the federation for authentication

Web app is requiring smart card (routed to external IDP) for auth and mobile app is requiring otp, we have done a setup where SP is sending different authncontextclassref for web and mobile apps and we are routing the incoming requests based on that, that is working fine

Now customer want to add a third contract/method to the web application also using a external IDP for authentication, so when the authncontextclassref "urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI" comes in a authnreq we have configured both external IDP configurations with "requested by>>use types", "comparison level>>maximum" and type = smartcardpki, that is the same that comes in the request.

Problem is that the new external idp is responding with "saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract", users get authenticated but NAM can't match request with response.

I know we can ask the external IDP to change what they are replying, I have done that, don't know if they can/will change yet

Does anybody knows if there a way in NAM to manipulate the response so we can disregard what we are receiving and match request/response and responde back what the originating SP is expecting.