How to have Access Manager Identity Server generate an assertion with a custom authentication type as part of the AUthentication Statement

Access Manager Identity (IDP) Server setup in trust relationship with multiple SAML2 Service Providers (SP). Each SP is working fine with the exception of one custom build SP ie. users can single sign on (SSO) to the SAML2 SPs after having successfully authenticated to the IDP server. With one particular SP, the username and attributes sent in the assertion by the IDP server were not enough to SSO the user. AFter authenticating to the IDP server users would get an error on the browser from the SP indicating that the 'authentication failed due invalid method'.

Turns out that the SP validated the authentication type in the assertion, to determine whether it satisfied the SP requirements. They expected an Authenitcation Type of eg. urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, but ended up getting the contract URI of the contract executed during the login to the NAM IDP server eg.

Make sure that you are running NAM 3.2 (not available in 3.1) and define the Authentication Type required by the SP in the 'Allowable Class' field of the contract being executed on the IDP server. In the above case, go to IDP -> Local -> Contracts -> Secure Name/Password Form contract, and add 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport' to the 'Allowable Class' field.

After updating the IDP server with the change and authenticating to the IDP server using the Secure Name/Password Form contract, the following assertion AuthnStatement was sent to the SP, allowing it to SSO without any issues: