How does Artifact Resolution work?

Question

I see almost nothing written about Artifact Resolution in ADFS.

Can someone tell me how it works?

We have an environment where our web application is the RP, and we are using ADFS as a Federation Provider.

Over time, we expect to onboard many of our enterprise clients as IP's (registered as Claims Providers in ADFS).

If those IP's choose to use Passive Requester along with Artifact Resolution, how does the resolution happen?

Does ADFS make the backchannel calls to resolve and then forward a fully filled token to our application? Or does our application have to make the backchannel calls?

If the latter, what happens in the active scenario? Does our web service have to make the backchannel calls?

I don't have an IP with which I can test this out. Any information would be appreciated.

Bill

Answer 1

 

http://www.oasis-open.org/committees/download.php/35387/sstc-saml-bindings-errata-2.0-wd-05-diff.pdf

3.6 HTTP Artifact Binding

In the HTTP Artifact binding, the SAML request, the SAML response, or both are transmitted by reference

using a small stand-in called an artifact. A separate, synchronous binding, such as the SAML SOAP

binding, is used to exchange the artifact for the actual protocol message using the artifact resolution

protocol defined in the SAML assertions and protocols specification [SAMLCore].

This binding MAY be composed with the HTTP Redirect binding (see Section 3.4) and the HTTP POST

binding (see Section 3.5).

 

You will want to read this entire section of the spec to understand how the Artifact binding is used in SAML 2.0. AD FS 2.0 uses SAMLArt encoded in the query string of the URL. The ArtifactResolve request and response are handled via SOAP. For active scenarios, you may want to explore the various WS-Trust bindings.

 

I hope this helps,

Adam Conkle - MSFT