Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the purpose of a SAML Artifact?

I've seen a bunch of flow chart on how it is passed around between Identity Provider (IdP), Service Provider (SP), and Browser via Redirects. However it seems unnecessary to me right now, so i know i'm missing something.

Can someone provide me a use case where a SAML Artifact is required (or very useful) compared to not using one?

Thank you.

like image 704
funa68 Avatar asked Nov 28 '12 23:11

funa68


People also ask

What is a SAML artifact?

HTTP artifact is a binding in which a SAML request or response (or both) is transmitted by reference by using a unique identifier that is called an artifact. A separate binding, such as a SOAP binding, is used to exchange the artifact for the actual protocol message.

What is the difference between HTTP POST and artifact?

Unlike the SAML front-channel bindings, HTTP Redirect and HTTP POST, which perform SSO in the full view of the browser, the HTTP Artifact binding sends protocol messages using back-channel communication.

What is SAML and why is it used?

What is SAML? SAML is an acronym used to describe the Security Assertion Markup Language (SAML). Its primary role in online security is that it enables you to access multiple web applications using one set of login credentials.

What are the four components of SAML?

SAML's standards provide a request/response for exchanging XML messages between these roles. The standard specifies four main components: profiles, assertions, protocol, and binding.


1 Answers

Typically, the intent of the artifact binding is to reduce the flow of SAML messages through the browser itself. This could be due to browser restrictions (browsers that have limits on query string / POST payload size) or no support for JavaScript (for auto-submitted forms), or even to improve the security model of how the SAML messages are transported. By using artifacts, sensitive data carried through the SAML Assertion / Attribute Statement is not passed through the browser, so it can be hidden from the end user or attackers between your site and the end user. This confidential data would only be directly resolved between sites through a back channel lookup.

Section 3.6.2 of the SAML 2.0 Bindings specs summarizes it best:

The HTTP Artifact binding is intended for cases in which the SAML requester and responder need to communicate using an HTTP user agent as an intermediary, but the intermediary's limitations preclude or discourage the transmission of an entire message (or message exchange) through it. This may be for technical reasons or because of a reluctance to expose the message content to the intermediary (and if the use of encryption is not practical). Note that because of the need to subsequently resolve the artifact using another synchronous binding, such as SOAP, a direct communication path must exist between the SAML message sender and recipient in the reverse direction of the artifact's transmission (the receiver of the message and artifact must be able to send a request back to the artifact issuer). The artifact issuer must also maintain state while the artifact is pending, which has implications for load-balanced environments.

like image 190
Scott T. Avatar answered Sep 21 '22 20:09

Scott T.