Feels sort of like SAML's PAOS (SOAP backwards) binding, in which
- The client requests a service using an HTTP request.
- The service provider responds with a SAML authentication request. This is sent using a SOAP request, carried in the HTTP response.
- The client returns a SOAP response carrying a SAML authentication response. This is sent using a new HTTP request