When a client application initiates an OIDC authentication request, it may include an acr_values query parameter to suggest a preferred ACR (Authentication Context Class Reference) value. ACR is an ID token claim that indicates the authentication assurance level achieved during the journey. However, the requested value is advisory only—the journey is not required to honor it.
- The ACR value represents the assurance level, not the authentication method. Authentication methods are recorded separately in the
amrclaim, which Mosaic populates automatically. - ACR customization applies only to SSO journeys, since OIDC ID tokens (which include the
acrclaim) are issued only by SSO journeys.
In Mosaic, you can customize the ACR value that appears in the ID token issued at the end of the journey using one or more Set Dynamic ACR Values steps, distributed along the journey based on your business logic. Each Set Dynamic ACR Values step overwrites any previously available ACR value (from the OIDC request or from an earlier step), and the last executed step determines the final acr claim in the ID token. You define the ACR value to reflect the assurance achieved—for example, password authentication might map to 1.5, passkeys to 2.5, and mobile biometrics to 3.0. These values are fully customizable at the step level.
Mosaic does not enforce ACR levels automatically. You are responsible for setting the appropriate ACR value that reflects the authentication assurance level achieved in the journey.
To read the current ACR value at any point in the journey, use: @policy.getInteractionParameters().acrValues. This expression returns:
- the
acr_valuesvalue from the initial OIDC request (if present and no Set Dynamic ACR Values step has run yet), or - the value set by the most recently executed Set Dynamic ACR Values step.
Setting custom ACR values enables token customization, allowing you to define ACR values that align with your application's requirements and the needs of downstream services that consume the token. Because the ACR value is defined entirely within the journey, you have full control over its format and meaning (for more, see section below). The ACR value represents the authentication assurance level and can be set based on runtime data, such as authentication results, device posture, risk signals, or any other information available in the journey context (e.g., user information, session data, organization context, or data collected from previous journey steps).
You can use multiple Set Dynamic ACR Values steps in the same journey to:
- Use the ACR value in flow logic: Read the current value at any point and use it in conditions or other decision points.
- Replace the ACR value as assurance changes: Each step represents the authentication assurance level achieved up to that point and replaces the previous ACR value. Set or replace the value as users complete additional authentication steps (for example, step-up flows or different authentication branches). Each invocation overwrites the previous value, and the final issued token will include only the last ACR value that was set.
Each Set Dynamic ACR Values step overwrites the previous ACR value. The final ACR value in the token is always determined by the last Set Dynamic ACR Values step executed.
The ACR value you set can be:
- A simple string representing the assurance level (e.g.,
"1.5"for password,"2.5"for passkey,"3.0"for mobile biometrics) - A composite or encoded format representing multiple dimensions in a single string (e.g.,
"assurance:1.5|device:0.8|risk:0.3", where|separates dimensions) - A JSON object (automatically converted to a string)