Authenticate SAML Added in 7.5.0

POST /_security/saml/authenticate
Api key auth Basic auth Bearer auth

Submit a SAML response message to Elasticsearch for consumption.

NOTE: This API is intended for use by custom web applications other than Kibana. If you are using Kibana, refer to the documentation for configuring SAML single-sign-on on the Elastic Stack.

The SAML message that is submitted can be:

  • A response to a SAML authentication request that was previously created using the SAML prepare authentication API.
  • An unsolicited SAML message in the case of an IdP-initiated single sign-on (SSO) flow.

In either case, the SAML message needs to be a base64 encoded XML document with a root element of <Response>.

After successful validation, Elasticsearch responds with an Elasticsearch internal access token and refresh token that can be subsequently used for authentication. This API endpoint essentially exchanges SAML responses that indicate successful authentication in the IdP for Elasticsearch access and refresh tokens, which can be used for authentication against Elasticsearch.

External documentation
application/json

Body Required

  • content string Required

    The SAML response as it was sent by the user's browser, usually a Base64 encoded XML document.

  • ids string | array[string] Required

    One of:
    Id string Ids array[string]
  • realm string

    The name of the realm that should authenticate the SAML response. Useful in cases where many SAML realms are defined.

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • access_token string Required

      The access token that was generated by Elasticsearch.

    • username string Required

      The authenticated user's name.

    • expires_in number Required

      The amount of time (in seconds) left until the token expires.

    • refresh_token string Required

      The refresh token that was generated by Elasticsearch.

    • realm string Required

      The name of the realm where the user was authenticated.
POST /_security/saml/authenticate 
curl \
 --request POST 'http://api.example.com/_security/saml/authenticate' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"content\" : \"PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMD.....\",\n  \"ids\" : [\"4fee3b046395c4e751011e97f8900b5273d56685\"]\n}"'
Request example
Run `POST /_security/saml/authenticate` to exchange a SAML Response indicating a successful authentication at the SAML IdP for an Elasticsearch access token and refresh token to be used in subsequent requests. 
{
  "content" : "PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMD.....",
  "ids" : ["4fee3b046395c4e751011e97f8900b5273d56685"]
}
Response examples (200)
A successful response from `POST /_security/saml/authenticate`. 
{
  "access_token" : "46ToAxZVaXVVZTVKOVF5YU04ZFJVUDVSZlV3",
  "username" : "Bearer",
  "expires_in" : 1200,
  "refresh_token": "mJdXLtmvTUSpoLwMvdBt_w",
  "realm": "saml1"
}