Federated Identity Standards such as SAML (Security Assertion Markup Language), Liberty, and WS-Federation Passive Profile have bindings which use some form of “artifacts” that refer to actual protocol message instances for conveying information sufficient to complete a federated action such as a request for login or a response for login. In a typical sequence of actions, a party initiating the action generates an “artifact” which is a reference to the actual message instance, and redirects the user's browser to the receiving party with the artifact in tow. The receiving party then uses a “backchannel” communication with the initiating party to obtain the actual message based on which the federated action can take place. The initiating party and receiving party can communicate through multiple intermediaries, incurring a penalty in efficiency due to browser redirects through the intermediaries.
To establish trust between federation nodes including end-points and intermediaries, much information is exchanged including certificate information and URL information at which various federation services are available for the particular node. The information is contained in a document known as meta-data. Any time a federation node has to be relocated to a different network address, the meta-data is updated and propagated to all nodes that trust the relocated node, incurring substantial overhead.
Federation protocols support Post, Redirect, or Artifact bindings for conveying information from one federation node to another. The bindings are described in protocol specification documents for SAML 2.0 or WS-Federation and call for the user to be redirected to each node that is directly trusted by the originating node.