In SAML 2, in the absence of a specific context class being requested by the SP, the V3.0.0 IdP uses urn:oasis:names:tc:SAML:2.0:ac:classes:Password.
After discussion with Scott, this does not appear to be a default in the sense of a predictable and documented value. Instead, it's an arbitrary element extracted from a Set of compatible values. This means that at least in principle that a different value (in particular, urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport) might be used if the implementation details of that Set changed. This potential seems undesirable.
It is possible to set the default context class per-profile to achieve particular results, which would override this implicit not-quite-default. So people who care about this and aren't happy with the current behaviour have a way to get what they want.
However, I think that:
- It would be better for us to have a stable and documented default than to have one which is not under our control and might change without warning
- It would be nice for that default to be available as an IdP property associated with SAML2 in general, so that it can be changed for all profiles in a single place
- It would make sense for the default default (for password authentication flows) to be urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport as that's what every IdP should be using