The Use of SOAP
In the example flow above, all depicted exchanges are front-channel exchanges, that is, an HTTP user agent (browser) communicates with a SAML entity at each step. In particular, there are no back-channel exchanges or direct communications between the service provider and the identity provider. Front-channel exchanges lead to simple protocol flows where all messages are passed by value using a simple HTTP binding (GET or POST). Indeed, the flow outlined in the previous section is sometimes called the Lightweight Web Browser SSO Profile.
Alternatively, for increased security or privacy, messages may be passed by reference. For example, an identity provider may supply a reference to a SAML assertion (called an artifact) instead of transmitting the assertion directly through the user agent. Subsequently, the service provider requests the actual assertion via a back channel. Such a back-channel exchange is specified as a SOAP message exchange (SAML over SOAP over HTTP). In general, any SAML exchange over a secure back channel is conducted as a SOAP message exchange.
On the back channel, SAML specifies the use of SOAP 1.1. The use of SOAP as a binding mechanism is optional, however. Any given SAML deployment will choose whatever bindings are appropriate.
Read more about this topic: Security Assertion Markup Language
Famous quotes containing the word soap:
“Commercial jazz, soap opera, pulp fiction, comic strips, the movies set the images, mannerisms, standards, and aims of the urban masses. In one way or another, everyone is equal before these cultural machines; like technology itself, the mass media are nearly universal in their incidence and appeal. They are a kind of common denominator, a kind of scheme for pre-scheduled, mass emotions.”
—C. Wright Mills (1916–62)