The Browser/Artifact SSO profile of SAML 1.1 (see resources) is supported by ShibOnedotThree and later. Although it is not the default SSO profile used in most Shibboleth deployments, it has some advantages over BrowserPOST and can be used by agreement between capable IdPs and !SPs.

In this profile, the !IdP does not return the authentication assertion to the SP directly, but instead returns an opaque reference to the assertion. This reference, called an artifact, is transmitted to the SP's AssertionConsumerService by an HTTP redirect, which results in an HTTP GET operation at the SP. When the SP receives the artifact, it dereferences it to acquire the original assertion by accessing the !IdP's artifact resolution service.

Because the communication with the artifact resolution service occurs over a protected channel, there are no privacy issues associated with including attributes with the assertion (so-called AttributePush). In ShibOnedotThree, AttributePush is enabled by default when the BrowserArtifact profile is in use.

Compare BrowserPOST.