ArtifactResolutionService

Advanced Configuration

This is an advanced configuration feature. Most deployments can rely on the <SSO> and <Logout> shorthand elements.

The <md:ArtifactResolutionService> element is used to configure handlers that are responsible for resolving SAML 2.0 artifacts into protocol messages.

The HTTP-Artifact binding in SAML 2.0 allows messages sent by the SP to an IdP to be carried by reference using a simple redirect, instead of by value. The downside is that an extra callback is required to turn the artifact back into the original message, typically using SOAP.

Protocols

As a multi-protocol system, the SP itself is oblivious to specific management protocols; each handler provides the implementation of a particular protocol.

SAML2

An implementation exists only for the SAML2 protocol, this implements the dereferencing/resolution steps of the SAML 2.0 HTTP-Artifact binding.

The following Binding values are supported:

  • urn:oasis:names:tc:SAML:2.0:bindings:SOAP

Note that authentication of the request is controlled by the security policy rules in effect.

Common Attributes

The following may be specified for all protocols and bindings

Name

Type

Default

Description

Location relative pathrequired

The location of the service (when combined with the base handlerURL). This is the location to which an IdP sends requests to resolve artifacts.

Binding UTIrequired

Identifies the protocol binding supported by the service.

index unsigned integer

A "tag" that identifies the ACS endpoint so that it can be referenced by other configuration elements or applications. It is strongly suggested that the values correspond to the values included in the SP's metadata.