Authenticate SAML | Elasticsearch API documentation

Authenticate SAML Added in 7.5.0

POST /_security/saml/authenticate

Submit a SAML response message to Elasticsearch for consumption.

NOTE: This API is intended for use by custom web applications other than Kibana. If you are using Kibana, refer to the documentation for configuring SAML single-sign-on on the Elastic Stack.

The SAML message that is submitted can be:

A response to a SAML authentication request that was previously created using the SAML prepare authentication API.
An unsolicited SAML message in the case of an IdP-initiated single sign-on (SSO) flow.

In either case, the SAML message needs to be a base64 encoded XML document with a root element of <Response>.

After successful validation, Elasticsearch responds with an Elasticsearch internal access token and refresh token that can be subsequently used for authentication. This API endpoint essentially exchanges SAML responses that indicate successful authentication in the IdP for Elasticsearch access and refresh tokens, which can be used for authentication against Elasticsearch.

External documentation

application/json

Body Required

content string Required

The SAML response as it was sent by the user's browser, usually a Base64 encoded XML document.
ids string | array[string] Required

One of:
_types:Id string _types:Ids array[string]
realm string

The name of the realm that should authenticate the SAML response. Useful in cases where many SAML realms are defined.

Responses

200 application/json
Hide response attributes Show response attributes object
- access_token string Required
  
  The access token that was generated by Elasticsearch.
- username string Required
  
  The authenticated user's name.
- expires_in number Required
  
  The amount of time (in seconds) left until the token expires.
- refresh_token string Required
  
  The refresh token that was generated by Elasticsearch.
- realm string Required
  
  The name of the realm where the user was authenticated.

POST /_security/saml/authenticate

curl \
 --request POST http://api.example.com/_security/saml/authenticate \
 --header "Content-Type: application/json" \
 --data '{"content":"string","":"string","realm":"string"}'

Request examples

{
  "content": "string",
  "": "string",
  "realm": "string"
}

Response examples (200)

{
  "access_token": "string",
  "username": "string",
  "expires_in": 42.0,
  "refresh_token": "string",
  "realm": "string"
}

Authenticate SAML Added in 7.5.0

Body Required

ids string | array[string] Required

Responses