SAML HTTP Artifact binding sends protocol messages using a direct server-to-server connection between an Identity Provider (IdP) and a Service Provider (SP). We support HTTP Artifact binding for delivering and receiving all SAML message types since Rsk.Saml v5. You can learn more about HTTP Artifact binding from our article Improving SAML SSO Security Using HTTP Artifact Binding.
This page will cover how to configure your SAML SP to send and receive SAML requests and responses using HTTP Artifact binding.
Receive HTTP Artifact Messages
To recieve SAML requests and responses from the IdP using HTTP Artifact binding, you need to configure the IdP's Artifact Resolution Endpoint, using the configuration option IdentityProviderOptions.ArtifactResolutionEndpoint
.
This is the IdP's endpoint that your SP will call to resolve an artifact for the actual SAML message.
We only support SOAP
binding type for this endpoint.
.AddSaml2p("saml2p", options =>
{
// Other configuration code removed for brevity
options.IdentityProviderOptions = new IdpOptions
{
ArtifactResolutionEndpoint = new SamlEndpoint("https://idp-ars", SamlBindingTypes.Soap)
};
});
You can also configure the optional property RequireSignedArtifactResponses
based on whether you expect the incoming ArtifactResponse messages to be signed.
This defaults to true
.
Send HTTP Artifact Messages
If the IdP supports HTTP Artifact binding, you can configure the IdP's SingleSignOnEndpoint
with HTTP Artifact binding.
.AddSaml2p("saml2p", options =>
{
// Other configuration code removed for brevity
options.IdentityProviderOptions = new IdpOptions
{
SingleSignOnEndpoint = new SamlEndpoint("https://idp-sso", SamlBindingTypes.HttpArtifact)
};
});
The following configuration options (Saml2pAuthenticationOptions) are used for HTTP Artifact binding.
ArtifactResolutionService
: This is your ARS endpoint, where the IdP will send back-channel requests to resolve artifactsRequireSignedArtifactResolveRequests
: Indicates if the received ArtifactResolve requests must be signed. Defaults totrue
ArtifactLifeTime
: The amount of time that an artifact is valid after creation. The IdP must resolve the artifact in this time span. Defaults to 5 minutesArtifactDeliveryBindingType
: This is the binding type (HTTP Redirect or HTTP POST) that you want to use to send artifacts via the browser. Defaults tourn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
Check out the SP configuration options for more details.