If an ACR value is specified in the claims sent to the IdP it should be validated that the same value is returned in the id token in the OIDC callback. This is a security measure required for step-up authentication since the claims can be manually edited in the requested URL.