The Use of SOAP
In the example flow above, all depicted exchanges are front-channel exchanges, that is, an HTTP user agent (browser) communicates with a SAML entity at each step. In particular, there are no back-channel exchanges or direct communications between the service provider and the identity provider. Front-channel exchanges lead to simple protocol flows where all messages are passed by value using a simple HTTP binding (GET or POST). Indeed, the flow outlined in the previous section is sometimes called the Lightweight Web Browser SSO Profile.
Alternatively, for increased security or privacy, messages may be passed by reference. For example, an identity provider may supply a reference to a SAML assertion (called an artifact) instead of transmitting the assertion directly through the user agent. Subsequently, the service provider requests the actual assertion via a back channel. Such a back-channel exchange is specified as a SOAP message exchange (SAML over SOAP over HTTP). In general, any SAML exchange over a secure back channel is conducted as a SOAP message exchange.
On the back channel, SAML specifies the use of SOAP 1.1. The use of SOAP as a binding mechanism is optional, however. Any given SAML deployment will choose whatever bindings are appropriate.
Read more about this topic: Security Assertion Markup Language
Famous quotes containing the word soap:
“Television ... helps blur the distinction between framed and unframed reality. Whereas going to the movies necessarily entails leaving one’s ordinary surroundings, soap operas are in fact spatially inseparable from the rest of one’s life. In homes where television is on most of the time, they are also temporally integrated into one’s “real” life and, unlike the experience of going out in the evening to see a show, may not even interrupt its regular flow.”
—Eviatar Zerubavel, U.S. sociologist, educator. The Fine Line: Making Distinctions in Everyday Life, ch. 5, University of Chicago Press (1991)