Is SAML artifact binding initiated by IdP or SP?

Question

I am exploring different binding types of SAML Authentication. Here are my understandings:

• The SP will send an Artifact to the IdP and the IdP will send back the same Artifact to the SP. This is create an hand-shake between SP and IdP.
• The SP will now respond with the actual SAML corresponding to the Artifact through the back channel.

But the query is, in case of IdP initiated Artifact binding, how does the IdP knows the following:

• Which SP to poll?
• When to poll the SP?
• The Attribute Assertion SAML Message is on the SP side. So how will the IdP know about the corresponding Artifact without any prior communication from SP?

Answer 1

I think there is a misunderstanding of the hos the artifact binding works. When used to transport a Assertion from IDP to SP, the Artifact binding works like this.

1. The IDP send the SP an Artifact typically over the browser.
2. The SP send the Artifact to the IDP, typically over a back channel. ex SOAP.
3. The IDP responds with a ArtifactResponse containing the Assertion.

In a greater perspective when doing a authentication the flow is like this

1. The user tries to access a site managed by a SP
2. The SP intercepts the user and sees that it has not been authenticated.
3. The user is sent to the IDP for authentication.
4. The user is autenticated and a Assertion is created.
5. The user is sent back the the SP tougether with the Assertion. If artifact binding is used the user is send back with the artifact.
6. The SP exchanges the artifact for the Assertion over a back channel.