Page created: 12 Sep 2019 |
Page updated: 18 Mar 2020
In this scenario, the IdP sends a SAML artifact to the SP via either HTTP POST or a redirect (shown in diagram). The SP uses the artifact to obtain the associated SAML response from the IdP.
A user has logged on to the IdP.
(If a user has not yet logged on for some reason, he or she is challenged to do so at step 2).
- The user clicks a link or otherwise requests access to a protected SP resource.
- Optionally, the IdP retrieves attributes from the user datastore.
- The IdP federation server generates an assertion, creates an artifact, and sends an HTTP redirect containing the artifact through the browser to the SP's Assertion Consumer Service (ACS).
- The ACS extracts the Source ID from the SAML artifact and sends an artifact-resolve message to the identity federation server's Artifact Resolution Service (ARS).
- The ARS sends a SAML artifact response message containing the previously generated assertion.
- (Not shown) If a valid assertion is received, the SP establishes a session and redirects the browser to the target resource.