What is Artifact Binding?
Typically in SAML, the authentication request and assertion data is sent through the browser (http POST or http REDIRECT binding).
However, in some cases you may not want to expose the entire message to the browser. In this case, the message contents are replaced by an artifact reference, that can be requested from the artifact endpoint (backchannel).
Both the Authentication Request and the Assertion can be sent using the Artifact binding.
Note: IDHub (acting as Service Provider) currently only supports getting the Assertion via the artifact binding.
Other use cases are not supported:
- Acting as Service Provider: sending the Authentication Request with an Artifact Binding
- Acting as Identity Provider: receiving the Authentication Request with an Artifact Binding
- Acting as Identity Provider: sending the Assertion with an Artifact Binding
There are no strong indications that the artifact binding is more or less secure than the post/redirect binding. Because artifact bindings add complexity and additional points of failure, it's not our recommended default approach for a SAML integration.
However there are several reasons why Artifact binding would be preferred:
- Technical restrictions (eg. to reduce the size of the message)
- Encryption is not practical or desirable (as this is more CPU intensive)
- Reluctance to expose the message contents to the browser
Because we currently only support getting the assertion via the artifact binding, there is only a practical need for the IDP to present the artifact endpoint on a TLS secured endpoint.
Although the SAML specification does not mandate how to secure the Artifact binding, we suggest Two-SSL as a recommendation:
- The client (SP) should present its certificate to artifact resolution endpoint, to avoid unauthorized parties to access the Artifact Resolution Endpoint.
- The Identity Provider provides the artifact response, which is signed with its own certificate to prove the authenticity.
Additional measures may include that the artifact can only be resolved once, and that it remains available for only a limited amount of time (ie. several minutes).