In this scenario, the IdP sends a SAML artifact to the SP via an HTTP redirect. The SP uses the artifact to obtain the associated SAML response from the IdP.

IdP-initiated SSO: artifact

Processing steps:

  1. A user has logged on to the IdP.
    (If a user has not yet logged on for some reason, he or she is challenged to do so at step 2).
  2. The user clicks a link or otherwise requests access to a protected SP resource.
  3. Optionally, the IdP retrieves attributes from the user datastore.
  4. The IdP federation server generates an assertion, creates an artifact, and sends an HTTP redirect containing the artifact through the browser to the SP's Assertion Consumer Service (ACS).
  5. The ACS extracts the Source ID from the SAML artifact and sends an artifact-resolve message to the identity federation server's Artifact Resolution Service (ARS).
  6. The ARS sends a SAML artifact response message containing the previously generated assertion.
  7. (Not shown) If a valid assertion is received, the SP establishes a session and redirects the browser to the target resource.