According to the SAML core spec, section 184.108.40.206.1:
The <saml:AuthnStatement> in the new assertion MUST include a <saml:AuthnContext>
element containing a <saml:AuthenticatingAuthority> element referencing the identity
provider to which the proxying identity provider referred the presenter. If the original assertion
contains <saml:AuthnContext> information that includes one or more
<saml:AuthenticatingAuthority> elements, those elements SHOULD be included in the
new assertion, with the new element placed after them.
OpenAM currently does not populate the AuthenticatingAuthority field, which appears to violate a MUST in the spec.