What is the purpose of a SAML Artifact?

Question

I\'ve seen a bunch of flow chart on how it is passed around between Identity Provider (IdP), Service Provider (SP), and Browser via Redirects. However it seems unnecessary

Answer 1

Expanding on Scott T's answer, the SAML Artifact Profile was designed to improve security. To prevent a user from modifying it's SAML Assertion mid-traffic (such as changing Username, roles, etc), SAML 2.0 suggests that developers sign assertions via XML signatures. XML Signatures though are extremely vulnerable to XML wrapping attacks because of issues in every languages existing XML parsers. Visit https://www.usenix.org/conference/usenixsecurity12/breaking-saml-be-whoever-you-want-be to see XML wrapping attacks in action against SAML Assertions.

The SAML Artifact Profile solves this issue by creating a one-time use "artifact" that is passed to the Service Provider by the user (via redirect or post) rather then the SAML Assertion. When the Service Provider receives the one-time use artifact, it sends a SAML Artifact Resolve Request (containing the artifact) to the Identity Provider's Artifact Resolution Service (ARS). The ARS then responses with a SAML Artifact Response (containing the user's SAML Assertion) thereby preventing the SAML Assertion from ever being modified by the user as it is directly received by the Service Provider over a back channel.