SAML web browser SSO with HTTP artifact binding

With Artifact binding, only an Artifact issued by Airlock IAM (IDP) is transmitted through the client's web browser to the SP.

The SAML Assertion itself is retrieved by the SP through a web service call directly to Airlock IAM:

27822849.png
  1. (Optional; this step can be skipped) The user tries to access the service provided by the SP with his browser. Since the user is not authenticated, he will be redirected to Airlock IAM to obtain the Assertion. This redirect contains an 'Authentication Request' of the SP so that Airlock IAM knows where the user initially intended to go.
  2. If this step is performed, the process is called "SP initiated SSO", otherwise (when the user starts on the IDP which 'somehow' has to know where to send the user to) it is called "IDP initiated SSO".

  3. Airlock IAM authenticates the user and after successful authentication generates a SAML Assertion containing the information that the user was authenticated (note that the SAML Assertion can also contain additional information about the user and the authentication performed). Airlock IAM also generates a (nearly) random Artifact which can be seen as an opaque handle to the Assertion.
  4. Airlock IAM sends an HTTP redirect to the SP containing the SAML Artifact to the browser.
  5. The browser sends the SAML Artifact to the SP.
  6. The SP contacts Airlock IAM via webservice (SOAP) and retrieves the SAML Assertion which belongs to the given Artifact. Then the SP validates the SAML Assertion and decides whether it accepts the assertion. If the assertion was accepted by the SP, access to the service provided by the SP is granted.

Note that if Airlock IAM is used behind Airlock Gateway (WAF) the first request (sign on attempt) typically goes directly to Airlock IAM rather than to the SP since Airlock Gateway (WAF) prevents the user from contacting the SP directly.

Advantages

Drawbacks

  • No information is exposed to the system running the browser.
  • No JavaScript support is needed.
  • Direct communication path between Airlock IAM and the SP is necessary.