In this single sign-on (SSO) scenario, the identity provider (IdP) sends a SAML artifact to the service provider (SP) through an HTTP redirect. The SP uses the artifact to obtain the associated SAML response from the IdP.
- A user logs on to the IdP.
If a user has not yet logged on for some reason, he or she is challenged to do so at step 2.
- The user clicks a link or otherwise requests access to a protected SP resource.
- After the user requests access, the IdP might also retrieve attributes from the user datastore.
- The IdP federation server generates an assertion, creates an artifact, and sends an HTTP redirect containing the artifact through the browser to the SP's Assertion Consumer Service (ACS).
- The ACS extracts the Source ID from the SAML artifact and sends an artifact-resolve message to the identity federation server's Artifact Resolution Service (ARS).
- The ARS sends a SAML artifact response message containing the previously-generated assertion.
- (Not shown) If the IdP returns a valid SAML assertion to the SP, a session is established on the SP and the browser is redirected to the target resource.