We notice that VIP Authentication Hub generates Identity Token with AMR claim that has no value. How can this happen?
This article describes how JWT/Identity Token is processed with regards to AMR in VIP Authentication Hub.

VIP Authentication Hub 3.5 or later

The following shows the steps of AMR handling in JWT-BEARER flow in VIP Authentication Hub.

1. If an Identity Provider (IDP) is used and has the AMR mapping rule, the rule is used to populate the AMR. Otherwise IDP’s default AMR will be used. This is the regular behavior. 

2. If no IDP is used or IDP has no AMR rules, then for a “trusted” client the AMR will be taken from Identity Token Hint (if available)

3. If AMR is still not available, Application Metadata will be consulted to determine the “last chance” AMR or rejecting the request. 

4. If no Application Metadata defined, Identity Token will be generated without an AMR