We are looking permit users to authenticate to federated internal applications using Kerberos (their domain login) without needing to prompt them for additional authentication/credentials (true SSO). With the AuthnContext being sent the way it is by ExtraHop, it is forcing the IdP to ignore the existing Kerberos ticket that could be used and pushing the user to a Username / Password login form. This is a terrible user experience.
Our preference is for the ExtraHop system administrator to have the option to completely disable AuthnContext from being sent by the Service Provider in the SAML Request. This allows the IdP to control what authentication methods are acceptable for each application. If this is not technically feasible then it must have an option for the ExtraHop system administrator must be given controls over what will be sent for Comparison and the Class.