You can use HTTP artifact binding for instances where the SAML requester and responder need to communicate with each other using an HTTP user agent as an intermediary, but it's limitations preclude or discourage the transmission of an entire message (or message exchange) through it. This may be due to some technical reasons or the reluctance to expose the message content to the intermediary (where encryption is not practical).
In the HTTP artifact binding, the SAML request, the SAML response, or both are transmitted by reference using a small stand-in called an artifact. A separate, synchronous binding, such as the SAML SOAP binding, is used to exchange the artifact for the actual protocol message using the artifact resolution protocol. When using the HTTP artifact binding for the SAML <Response> message, SAML permits the artifact to be delivered via the browser using either an HTTP POST or HTTP Redirect response.
About SAML Artifact
SAML artifact is a short, opaque string which will have the ability of an artifact receiver to identify the issuer of the artifact, resistance to tampering and forgery, uniqueness, and compactness.
The format of a SAML artifact is shown below:
Once the service provider has the artifact, it contacts the IdP's artifact resolution service using the synchronous SOAP binding to obtain the SAML message that corresponds to the artifact.
Following diagram shows the process of the SAML artifact binding:
Configuring identity provider UI for client-side SAML artifact binding
- Log in to the management console.
- Click Add under Identity Providers on the Main tab and give a name for the Identity Provider.
- Click Federated Authenticators.
Expand SAML Web SSO Configuration and configure the following:
The table below gives descriptions about each of the above configuration parameters:
Parameter Description Enable Artifact Binding
Enable/disable to specify whether the IDP supports SAML artifact binding.
Artifact Resolve Endpoint Url
Artifact Resolution Service URL of IDP to send the Artifact Resolve request .
Enable Artifact Resolve Request Signing Enable/disable to specify whether the artifact resolve request should be signed or not. The signature algorithm and Digest algorithm for signing can be selected. Enable Artifact Response Signing Enable/disable to specify whether the SAML2 artifact response from the identity provider will be signed or not. Based on that, WSO2 IS validates the signature of the artifact response.