PingFederate Server

IdP-initiated SSO—Artifact

In this single sign-on (SSO) scenario, the identity provider (IdP) sends a SAML artifact to the service provider (SP) through an HTTP redirect. The SP uses the artifact to obtain the associated SAML response from the IdP.

A diagram illustrating the IdP-initiated SSO artifact process between the IdP, the browser interface, and the SP.
IdP-initiated SSO—​Artifact

Processing steps

  1. A user logs on to the IdP.

    If a user has not yet logged on for some reason, they are challenged to do so at step 2.

  2. The user clicks a link or otherwise requests access to a protected SP resource.

  3. After the user requests access, the IdP might also retrieve attributes from the user datastore.

  4. The IdP federation server generates an assertion, creates an artifact, and sends an HTTP redirect containing the artifact through the browser to the SP’s Assertion Consumer Service (ACS).

  5. The ACS extracts the Source ID from the SAML artifact and sends an artifact-resolve message to the identity federation server’s Artifact Resolution Service (ARS).

  6. The ARS sends a SAML artifact response message containing the previously-generated assertion.

  7. (Not shown) If the IdP returns a valid SAML assertion to the SP, a session is established on the SP and the browser is redirected to the target resource.