Menu
I've seen a bunch of flow chart on how it is passed around between Identity Provider (IdP), Service Provider (SP), and Browser via Redirects. However it seems unnecessary to me right now, so i know i'm missing something.
Can someone provide me a use case where a SAML Artifact is required (or very useful) compared to not using one?
Thank you.
704
HTTP artifact is a binding in which a SAML request or response (or both) is transmitted by reference by using a unique identifier that is called an artifact. A separate binding, such as a SOAP binding, is used to exchange the artifact for the actual protocol message.
Unlike the SAML front-channel bindings, HTTP Redirect and HTTP POST, which perform SSO in the full view of the browser, the HTTP Artifact binding sends protocol messages using back-channel communication.
What is SAML? SAML is an acronym used to describe the Security Assertion Markup Language (SAML). Its primary role in online security is that it enables you to access multiple web applications using one set of login credentials.
SAML's standards provide a request/response for exchanging XML messages between these roles. The standard specifies four main components: profiles, assertions, protocol, and binding.
Typically, the intent of the artifact binding is to reduce the flow of SAML messages through the browser itself. This could be due to browser restrictions (browsers that have limits on query string / POST payload size) or no support for JavaScript (for auto-submitted forms), or even to improve the security model of how the SAML messages are transported. By using artifacts, sensitive data carried through the SAML Assertion / Attribute Statement is not passed through the browser, so it can be hidden from the end user or attackers between your site and the end user. This confidential data would only be directly resolved between sites through a back channel lookup.
Section 3.6.2 of the SAML 2.0 Bindings specs summarizes it best:
The HTTP Artifact binding is intended for cases in which the SAML requester and responder need to communicate using an HTTP user agent as an intermediary, but the intermediary's limitations preclude or discourage the transmission of an entire message (or message exchange) through it. This may be for technical reasons or because of a reluctance to expose the message content to the intermediary (and if the use of encryption is not practical). Note that because of the need to subsequently resolve the artifact using another synchronous binding, such as SOAP, a direct communication path must exist between the SAML message sender and recipient in the reverse direction of the artifact's transmission (the receiver of the message and artifact must be able to send a request back to the artifact issuer). The artifact issuer must also maintain state while the artifact is pending, which has implications for load-balanced environments.
190
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
