SAML HTTP Artifact binding sends protocol messages using a direct server-to-server connection between an Identity Provider (IdP) and a Service Provider (SP). We support HTTP Artifact binding for delivering and receiving all SAML message types since Rsk.Saml v5. You can learn more about HTTP Artifact binding from our article Improving SAML SSO Security Using HTTP Artifact Binding.
This page will cover how to configure your SAML IdP to send and receive SAML requests and responses using HTTP Artifact binding.
Receive HTTP Artifact Messages
To receive SAML requests and responses from an SP, you must configure their ArtifactResolutionServices. These are the SP's endpoints that your IdP will call to resolve an artifact for the actual SAML message. We only support SOAP binding type for this endpoint.
You can also configure the optional property RequireSignedArtifactResponses based on whether you expect the incoming ArtifactResponse messages to be signed.
This option can be set globally using SamlIdpOptions or per ServiceProvider.
Defaults to true.
new ServiceProvider
{
ArtifactResolutionServices = { new Service(SamlConstants.BindingTypes.Soap, "https://sp-ars") },
RequireSignedArtifactResponses = true,
// other configuration
}
Send HTTP Artifact Messages
If the SP supports HTTP Artifact binding, you can configure an Assertion Consumer Service (ACS) endpoint that uses HTTP Artifact binding.
new ServiceProvider
{
AssertionConsumerServices = { new Service(SamlConstants.BindingTypes.HttpArtifact, "https://sp-acs") },
// other configuration
}
The following optional configuration options are used for HTTP Artifact binding.
These can be configured globally or per ServiceProvider.
RequireSignedArtifactResolveRequests: Indicates if the received ArtifactResolve requests must be signed. Defaults totrueArtifactLifeTime: The amount of time that an artifact is valid after creation. The SP must resolve the artifact in this time span. Defaults to 5 minutesArtifactDeliveryBindingType: This is the binding type (HTTP Redirect or HTTP POST) that you want to use to send artifacts via the browser. Defaults tourn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
Check out the IdP global configuration options and ServiceProvider specific options for more details.