SAML logout API

Submits a request to invalidate an access token and refresh token.

This API is intended for use by custom web applications other than Kibana. If you are using Kibana, see the Configuring SAML single-sign-on on the Elastic Stack.

Request

POST /_security/saml/logout

Description

This API invalidates the tokens that were generated for a user by the SAML authenticate API.

If the SAML realm in Elasticsearch is configured accordingly and the SAML IdP supports this, the Elasticsearch response contains a URL to redirect the user to the IdP that contains a SAML logout request (starting an SP-initiated SAML Single Logout).

Elasticsearch exposes all the necessary SAML related functionality via the SAML APIs. These APIs are used internally by Kibana in order to provide SAML based authentication, but can also be used by other custom web applications or other clients. See also SAML authenticate API, SAML prepare authentication API, and SAML invalidate API.

Request body

token
(Required, string) The access token that was returned as a response to calling the SAML authenticate API. Alternatively, the most recent token that was received after refreshing the original one by using a refresh_token.
refresh_token
(Optional, string) The refresh token that was returned as a response to calling the SAML authenticate API. Alternatively, the most recent refresh token that was received after refreshing the original access token.

Response body

redirect
(string) A URL that contains a SAML logout request as a parameter. The user can use this URL to be redirected back to the SAML IdP and to initiate Single Logout.

Examples

The following example invalidates the pair of tokens that were generated by calling the SAML authenticate API with a successful SAML response:

POST /_security/saml/logout
{
  "token" : "46ToAxZVaXVVZTVKOVF5YU04ZFJVUDVSZlV3",
  "refresh_token" : "mJdXLtmvTUSpoLwMvdBt_w"
}

The API returns the following response:

{
  "redirect" : "https://my-idp.org/logout/SAMLRequest=...."
}