You can use HTTP artifact binding for instances where the SAML requester and responder need to communicate with each other using an HTTP user agent as an intermediary, but it's limitations preclude or discourage the transmission of an entire message (or message exchange) through it. This may be due to some technical reasons or the reluctance to expose the message content to the intermediary (where encryption is not practical).
In the HTTP artifact binding, the SAML request, the SAML response, or both are transmitted by reference using a small stand-in called an artifact. A separate, synchronous binding, such as the SAML SOAP binding, is used to exchange the artifact for the actual protocol message using the artifact resolution protocol. When using the HTTP artifact binding for the SAML <Response> message, SAML permits the artifact to be delivered via the browser using either an HTTP POST or HTTP Redirect response.
About SAML Artifact
SAML artifact is a short, opaque string which will have the ability of an artifact receiver to identify the issuer of the artifact, resistance to tampering and forgery, uniqueness, and compactness.
The format of a SAML artifact is shown below:
Once the service provider has the artifact, it contacts the IdP's artifact resolution service using the synchronous SOAP binding to obtain the SAML message that corresponds to the artifact.
Following diagram shows the process of the SAML artifact binding:
Configuring identity provider UI for client-side SAML artifact binding
- Log in to the management console.
- Click Add under Identity Providers on the Main tab and give a name for the Identity Provider.
- Click Federated Authenticators.
Expand SAML Web SSO Configuration and configure the following:
The table below gives descriptions about each of the above configuration parameters:
Parameter Description Enable Artifact Binding
Enable/disable to specify whether the IDP supports SAML artifact binding.
Artifact Resolve Endpoint Url
Artifact Resolution Service URL of IDP to send the Artifact Resolve request .
Enable Artifact Resolve Request Signing Enable/disable to specify whether the artifact resolve request should be signed or not. The signature algorithm and Digest algorithm for signing can be selected. Enable Artifact Response Signing Enable/disable to specify whether the SAML2 artifact response from the identity provider will be signed or not. Based on that, WSO2 IS validates the signature of the artifact response.Configuring a proxy host and proxy portYou can configure a proxy host and a proxy port to be used for the artifact resolution request by applying the WUM update for WSO2 IS 5.6.0 released on 2018-09-23.
If you want to deploy a WUM update into production, you need to have a paid subscription. If you do not have a paid subscription, you can use this feature with the next version of WSO2 Identity Server when it is released. For more information on updating WSO2 Identity Server using WUM, see Getting Started with WUM in the WSO2 Administration Guide.
Pass the proxy host and port as Java environment variables as shown below.