The following procedure assumes you are mapping urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport to authentication level 4 on the service provider and use the LDAP authentication module for authentication on the identity provider.
Set the mapping for the spAuthncontextClassrefMapping property in the current extended service provider metadata.
For example, PasswordProtectedTransport|4
Reload the modified metadata using saml2meta.
Set the mapping for the idpAuthncontextClassrefMapping property in the current extended identity provider metadata.
For example, urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|module=LDAP
Reload the modified metadata using saml2meta.
Access the single sign-on initialization page using the following URL:
http://AM_host:AM_port/uri/spSSOinit.jsp?metaAlias=/sp&idpEntityID=idp.sun.com&AuthnContextClassRef=PasswordProtectedTransport