The consumeArtifact operation is used to support single sign-on across providers. This operation is usually performed by a user client as redirected by an identity provider during a call to the identity provider's produceArtifact operation. This operation has a direct correlation to the function of the Artifact Consumer Service within a SAML 2.0 deployment and may be implemented as a wrapper on top of an existing SAML 2.0 implementation. This operation is usually NOT implemented on identity providers.
The consumeArtifact operation requires a message that consists of a single ConsumeArtifactRequest element.
Examples
URL Encoded:
artifact=AAQAAJ263yLXp2FhgarlR41IfimKlRZl4ifX8VR07KVbBfQI2BOVGrDoJ1Wo43D
XML:
<ConsumeArtifactRequest>
<Artifact>AAQAAJ263yLXp2FhgarlR41IfimKlRZl4ifX8VR07KVbBfQI2BOVGrDoJ1Wo43D</Artifact>
</ConsumeArtifactRequest>
The ConsumeArtifactRequest element MAY contain an Artifact element, which is the artifact.
The specified artifact is resolved by a synchronous call by this service provider to the resolveArtifact operation of this provider's identity provider. The response from the resolveArtifact operation is used by the calling provider to establish a local security context within the current session. Once a local secuity context is established, a redirect fault may be returned to redirect the requester to its original resource URL that was requested before authentication was attempted.
If the Artifact element is not supplied, the artifact can not be resolved, or a local security context can not be established within the current session, then a redirect fault or an unauthorized fault may be returned depending upon the context. For instance, if the consumeArtifact operation was called as the result of a web page request, a redirect fault to a web page to prompt the user for more information may be required. If however, the consumeArtifact operation was called as a result of a web services request, then the unauthorized fault may be returned directly.
The consumeArtifact operation does not return any data.
The consumeArtifact operation may return a redirect fault to redirect the requester back to the original resource URL that was requested before automatic authorization was attempted, or to some other page or service entry point.
The consumeArtifact operation may return an unauthorized fault if this service provider is unable to authenticate the requester.
The consumeArtifact operation may return an operationFailed fault if the service was unable to otherwise fulfill the request.