SUNET · alessandrodi · Feb 27, 2025 · Feb 27, 2025 · Mar 3, 2025 · Mar 3, 2025
diff --git a/src/eduid/webapp/idp/assurance.py b/src/eduid/webapp/idp/assurance.py
@@ -150,7 +150,8 @@ def _gather_credentials(self, sso_session: SSOSession, ticket: LoginContext, use
         _used_request = [x for x in _used_credentials.values() if x.source == UsedWhere.REQUEST]
         logger.debug(f"Number of credentials used with this very request: {len(_used_request)}")
 
-        if ticket.reauthn_required:
+        req_authn_ctx = ticket.get_requested_authn_context()
+        if ticket.reauthn_required or req_authn_ctx is EduidAuthnContextClass.DIGG_LOA2:
             logger.debug("Request requires authentication, not even considering credentials from the SSO session")
             return list(_used_credentials.values())
 
@@ -214,7 +215,7 @@ def credentials(self) -> list[UsedCredential]:
         return self._credentials
 
 
-def response_authn(authn: AuthnState, ticket: LoginContext, user: IdPUser, sso_session: SSOSession) -> AuthnInfo:
+def response_authn(authn: AuthnState, ticket: LoginContext, user: IdPUser) -> AuthnInfo:
     """
     Figure out what AuthnContext to assert in a SAML response,
     given the RequestedAuthnContext from the SAML request.

diff --git a/src/eduid/webapp/idp/login.py b/src/eduid/webapp/idp/login.py
@@ -197,7 +197,7 @@ def login_next_step(ticket: LoginContext, sso_session: SSOSession | None) -> Nex
 
     try:
         authn_state = AuthnState(user, sso_session, ticket)
-        authn_info = assurance.response_authn(authn_state, ticket, user, sso_session)
+        authn_info = assurance.response_authn(authn_state, ticket, user)
         res = NextResult(message=IdPMsg.proceed, authn_info=authn_info, authn_state=authn_state)
     except MissingPasswordFactor:
         res = NextResult(message=IdPMsg.must_authenticate)