In the SAML & OpenID deployment guideline [1] for proxying between authncontext & PAPE, the fact that PAPE does not allow the RP to stipulate a specific desired LOA has been a limitation - specifically in the case where the proxy is trying to map from a SAML Authnrequest that had a specified LOA class into an OpenID request. Currently, the deployment guideline recommends the proxy fail the SAML request in this situation However, the ICAM OpenID [2] profile forgoes the PAPE LOA mechanism and uses the more flexible authentication mechanism parameter to allow the RP to specify the ICAM LOA1 policy on the OpenID request. If the ICAM profile were to set a precedent for how PAPE is used to carry LOA, then the above issue for proxying between SAML & OpenID is mitigated. Thoughts? Paul [1] - http://bit.ly/4R6CJh [2] - http://www.idmanagement.gov/documents/ICAM_OpenID20Profile.pdf