The Enable client chain selection option is set to OFF by default and the third-party service provider cannot select a preferred chain for any client such as Windows Client, Mac OS X Client, and Linux PAM Client workstation. You can set this option is set to ON to allow third-party service providers to select a preferred chain that is configured in the authcfg.xml file that user can use during authentication.
The syntax to select a specific chain in the authcfg.xml file is as follows:'AuthnContextClassRef' => array( 'AuthnContextClassRef' => 'urn:uuid:519a6c73-f092-43d3-ab11-8d789ebc2f79?=internal.osp.oidp.aa.chain-name=<chain name>')
NOTE:If you configure an incorrect chain and a user tries to authenticate by using that chain, an error message authentication failed appears.