...
Authentication Context requests
An SP that has an authentication-related business requirement to require require specific authncontextclassref values in assertions MUST specify the those allowable values in the RequestedAuthnContext element of authnrequests it generates. Conversely, if an SP does not specify RequestedAuthnContext values in authnrequests it generates, or if the SP does not support the generation of authentication requests (reference to SP-initiated, above), then the SP MUST NOT restrict allowable authcontextclassref values in IdP assertions.
...