In this scenario, the SP sends an authentication request to the IdP via HTTP POST. The returned SAML assertion is redirected through the user's browser. The response contains a SAML artifact .

SP-initiated SSO: POST/artifact

Processing steps:

  1. A user requests access to a protected SP resource. The user is not logged on to the site. The request is redirected to the federation server to handle authentication.
  2. The federation server sends an HTML form back to the browser with a SAML request for authentication from the IdP. The HTML form is automatically posted to the IdP's SSO service.
  3. If the user is not already logged on to the IdP site or if re-authentication is required, the IdP asks for credentials (for example, ID and password) and the user logs on.
  4. Additional information about the user may be retrieved from the user datastore for inclusion in the SAML response. (These attributes are predetermined as part of the federation agreement between the IdP and the SP—see User attributes.)
  5. The IdP federation server generates an assertion, creates an artifact, and sends an HTTP redirect containing the artifact through the browser to the SP's Assertion Consumer Service (ACS).
  6. The ACS extracts the source ID from the SAML artifact and sends an artifact-resolve message to the federation server's Artifact Resolution Service (ARS).
  7. The ARS sends a SAML artifact response message containing the previously generated assertion.
  8. (Not shown) If a valid assertion is received, a session is established on the SP and the browser is redirected to the target resource.