1

I am exploring different binding types of SAML Authentication. Here are my understandings:

  • The SP will send an Artifact to the IdP and the IdP will send back the same Artifact to the SP. This is create an hand-shake between SP and IdP.
  • The SP will now respond with the actual SAML corresponding to the Artifact through the back channel.

But the query is, in case of IdP initiated Artifact binding, how does the IdP knows the following:

  • Which SP to poll?
  • When to poll the SP?
  • The Attribute Assertion SAML Message is on the SP side. So how will the IdP know about the corresponding Artifact without any prior communication from SP?

1 Answer 1

Reset to default
1

I think there is a misunderstanding of the hos the artifact binding works. When used to transport a Assertion from IDP to SP, the Artifact binding works like this.

  1. The IDP send the SP an Artifact typically over the browser.
  2. The SP send the Artifact to the IDP, typically over a back channel. ex SOAP.
  3. The IDP responds with a ArtifactResponse containing the Assertion.

In a greater perspective when doing a authentication the flow is like this

  1. The user tries to access a site managed by a SP
  2. The SP intercepts the user and sees that it has not been authenticated.
  3. The user is sent to the IDP for authentication.
  4. The user is autenticated and a Assertion is created.
  5. The user is sent back the the SP tougether with the Assertion. If artifact binding is used the user is send back with the artifact.
  6. The SP exchanges the artifact for the Assertion over a back channel.
5
  • The first point in your answer says that IdP sends the artifact to SP over browser. However, I still do not understand, how the IdP knows which SP to send the Artifact and when to send the Artifact as one IdP can serve multiple SPs.
    – Sourav Purakayastha
    Commented Nov 24, 2016 at 11:29
  • i extended the answere. The user is sent back with the artifact to the SP that requested the authentication
    – Stefan Rasmusson
    Commented Nov 24, 2016 at 11:48
  • Artifact binding can be used with IdP-initiated SSO or SP-initiated SSO flow. As Stefan noted, Artifact binding is a so called back-channel binding, so there is also step 6 where the SP uses artifact resolution protocol to retrieve the actual assertion from the IdP. So the SP must be possible to communicate with the IdP's Artifact Resoluation Service (defined in the IdP MetaData)
    – Bernhard Thalmayr
    Commented Nov 25, 2016 at 7:39
  • Yes, I mentioned it in the first list, but it became a bit unclear. I added step 6
    – Stefan Rasmusson
    Commented Nov 25, 2016 at 7:56
  • Does anything in SAML exists which allows no-browser interactions? You capture username:password and then talk with IdP whit out browser?
    – rock3t
    Commented Jun 10, 2020 at 13:26

Not the answer you're looking for? Browse other questions tagged or ask your own question.