IdP-initiated SSO--Artifact
A diagram illustrating the IdP-initiated SSO artifact process between the IdP, the browser interface, and the SP.

Processing steps

  1. A user logs on to the IdP.

    If a user has not yet logged on for some reason, he or she is challenged to do so at step 2.

  2. The user clicks a link or otherwise requests access to a protected SP resource.
  3. After the user requests access, the IdP might also retrieve attributes from the user datastore.
  4. The IdP federation server generates an assertion, creates an artifact, and sends an HTTP redirect containing the artifact through the browser to the SP's Assertion Consumer Service (ACS).
  5. The ACS extracts the Source ID from the SAML artifact and sends an artifact-resolve message to the identity federation server's Artifact Resolution Service (ARS).
  6. The ARS sends a SAML artifact response message containing the previously-generated assertion.
  7. (Not shown) If the IdP returns a valid SAML assertion to the SP, a session is established on the SP and the browser is redirected to the target resource.