diff --git a/internal/models/sessions.go b/internal/models/sessions.go
index f4be5f7ea..5eae91a4b 100644
--- a/internal/models/sessions.go
+++ b/internal/models/sessions.go
@@ -292,22 +292,37 @@ func (s *Session) CalculateAALAndAMR(user *User) (aal string, amr []AMREntry, er
 	}
 
 	// makes sure that the AMR claims are always ordered most-recent first
-	sort.Sort(sort.Reverse(sortAMREntries{
+
+	// sort in ascending order
+	sort.Sort(sortAMREntries{
 		Array: amr,
-	}))
+	})
 
-	if len(amr) > 0 && amr[len(amr)-1].Method == SSOSAML.String() {
-		return aal, amr, nil
-	}
-	// initial AMR claim is from sso/saml, we need to add information
-	// about the provider that was used for the authentication
-	identities := user.Identities
-	if len(identities) == 1 && identities[0].IsForSSOProvider() {
-		amr[len(amr)-1].Provider = strings.TrimPrefix(identities[0].Provider, "sso:")
+	// now reverse for descending order
+	_ = sort.Reverse(sortAMREntries{
+		Array: amr,
+	})
+
+	lastIndex := len(amr) - 1
+
+	if lastIndex > -1 && amr[lastIndex].Method == SSOSAML.String() {
+		// initial AMR claim is from sso/saml, we need to add information
+		// about the provider that was used for the authentication
+		identities := user.Identities
+
+		if len(identities) == 1 {
+			identity := identities[0]
+
+			if identity.IsForSSOProvider() {
+				amr[lastIndex].Provider = strings.TrimPrefix(identity.Provider, "sso:")
+			}
+		}
+
+		// otherwise we can't identify that this user account has only
+		// one SSO identity, so we are not encoding the provider at
+		// this time
 	}
-	// otherwise we can't identify that this user account has only
-	// one SSO identity, so we are not encoding the provider at
-	// this time
+
 	return aal, amr, nil
 }