The resolveArtifact operation is used to support single sign-on across providers. This operation is usually performed by a provider to obtain authentication information associated with an artifact created by an identity provider. This operation has a direct correlation to the function of the Artifact Resolution Service within a SAML 2.0 deployment and may be implemented as a wrapper on top of an existing SAML 2.0 implementation. This operation is usually implemented only on identity providers.
The resolveArtifact operation requires a message that consists of a single ResolveArtifactRequest element.
Examples
URL Encoded:
artifact=AAQAAJ263yLXp2FhgarlR41IfimKlRZl4ifX8VR07KVbBfQI2BOVGrDoJ1Wo43D
XML:
<ResolveArtifactRequest>
<Artifact>AAQAAJ263yLXp2FhgarlR41IfimKlRZl4ifX8VR07KVbBfQI2BOVGrDoJ1Wo43D</Artifact>
</ResolveArtifactRequest>
The ResolveArtifactRequest element MUST contain an Artifact element, which is the artifact.
The specified artifact is used to obtain authentication information which is returned in the response. If this provider is unable to determine the security context from the artifact an unauthorized fault is returned.
Examples
JSON:
{ "user":"http://www.zelestra.com/users/user01.xml",
"agent":"http://www.zelestra.com/agents/agent01.xml",
"virtualSpace":"http://www.zelestra.com/virtualspace.xml",
"session":"http://www.zelestra.com/sessions/session10292",
"target":"myTarget" }
XML:
<ResolveArtifactResponse>
<User>http://www.zelestra.com/users/user01.xml</User>
<Agent>http://www.zelestra.com/agents/agent01.xml</Agent>
<VirtualSpace>http://www.zelestra.com/virtualspace.xml</VirtualSpace>
<Session>http://www.zelestra.com/sessions/session10292</Session>
<Target>myTarget</Target>
</ResolveArtifactResponse>
What authentication information is supplied in the response is dependent upon the type of provider responding to the request. For instance, identity providers may only be able to supply the user URI. The requester must determine if sufficient authentication information has been supplied to authorize a new security context for the current session local to the requesting provider.
The ResolveArtifactResponse element MAY contain a User element. This element is the user URI associated with the security context local to this provider.
The ResolveArtifactResponse element MAY contain an Agent element. This element is the agent URI associated with the security context local to this provider.
The ResolveArtifactResponse element MAY contain a VirtualSpace element. This element is the virtual space URI associated with the security context local to this provider.
The ResolveArtifactResponse element MAY contain a Session element. This element is the session URI associated with the security context local to this provider.
The ResolveArtifactResponse element MAY contain a Target element. This element is the target value passed into the produceArtifact operation.
The ResolveArtifactResponse element MAY contain additional namespace qualified elements per prior agreement between the requesting and responding providers.
The resolveArtifact operation may return a badRequest fault if no artifact parameter is provided.
The resolveArtifact operation may return an unauthorized fault if this provider is unable to determine a security context from the specified artifact.
The resolveArtifact operation may return an operationFailed fault if the service was unable to otherwise fulfill the request.