Federation Security Services Guide › Authenticate SAML 2.0 Users at the Service Provider › Access the Artifact Resolution Service with a Client Certificate (optional)

Access the Artifact Resolution Service with a Client Certificate (optional)

This procedure is only for single sign-on with the artifact binding.

You can use client certificate authentication to secure the back-channel across which the Identity Provider sends the assertion to the Service Provider when using the HTTP-artifact binding.

Note: Certificate authentication for the back-channel is optional; you can use Basic authentication instead.

The SAML 2.0 authentication scheme with artifact binding is invoked by the Assertion Consumer Service. This service collects information from the scheme to retrieve the SAML assertion from the Identity Provider. You are required to specify an authentication method for the realm that contains the Artifact Resolution Service at the Identity Provider. This tells the Assertion Consumer Service what type of credentials to provide to retrieve the assertion.

If the Artifact Resolution Service is part of a realm configured for client certificate authentication, there are some configuration tasks at the Service Provider and the Identity Provider you need to complete.

• At the Service Provider, you need to select the client certificate option as part of the authentication scheme configuration as instructed in Configuring the Client Certificate Option at the Service Provider.
• At the Identity Provider, you need to create a policy to protect the Artifact Resolution Service as instructed in Protecting the Artifact Resolution Service at the Identity Provider.