...
What does the standard require an SP to do?
Nothing. If it doesn't care about assurance, it doesn't have to do anything. If it does careIf the SP intends to request one or more qualifiers, then it has to determine what it's prepared to accept, and where appropriate, configure itself to include the acceptable values in its <samlp:AuthnRequest> messages.
...
The SP extracts and makes available the IdP's asserted IAQ for a session in a variable called "Shib-AuthnContext-Class". The exact name and syntax for accessing it will vary by programming language (see https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAccess
).
Limiting and filtering IAQs
...
To populate the <samlp:RequestedAuthnContext> element in the SP's requests, the authnContextClassRef AuthnContextClassRef content setting can be used.
...