Disable setting RequestedAuthnContext during saml request

[jathok]

Describe the Pull Request

Current Behavior

The SAML Python Toolkit request will set the RequestedAuthnContext to 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport', see advanced_settings.json section for "requestedAuthnContext" if the setting is omitted or set to true.

Issue
IdP services will use the RequestedAuthnContext if provided. If the session did not exactly use PasswordProtectedTransport, SSO login will always fail.

Issue Environment

We use Azure Entra as the IdP. The login method is hardened and does not necessarily use PasswordProtectedTransport method, but rather a "stronger" one.

This Entra AADSTS75011 Troubleshooting article describes the issue.

Intend

The RequestAuthNContext should only be set if

1. The application (MobSF) enforces a minimum amount of security
2. The context is read and validated afterwards (which is not the case)

Solution

Following Intend Nr. 1, I would change the security setting to enforce AT LEAST PasswordProtectedTransport, therefore changing the requestedAuthnContextComparison to minimum instead of exact.

However, Microsoft explicitly document that Entra SAML applications do not support any other comparison but exact.

The other solution is to disable the RequestedAuthnContext entirely. Since it is optional for the Entra IdP and, from what I could find searching the net, also optional for other IdPs, I suggest to do so by default.

Checklist for PR

• Run MobSF unit tests and lint tox -e lint,test
• Tested Working on Linux, Mac, Windows, and Docker
• Add unit test for any new Web API (Refer: StaticAnalyzer/tests.py)
• Make sure tests are passing on your PR