github-mirrors/elasticsearch
1
0
Fork 0
mirror of https://github.com/elastic/elasticsearch.git synced 2025-04-25 23:57:20 -04:00
Code Issues Projects Releases Packages Wiki Activity
elasticsearch/docs/reference/rest-api/security/saml-invalidate-api.asciidoc
James Rodewig 255c9a7f95
[DOCS] Move x-pack docs to docs/reference dir (#99209) 
**Problem:**
For historical reasons, source files for the Elasticsearch Guide's security, watcher, and Logstash API docs are housed in the `x-pack/docs` directory. This can confuse new contributors who expect Elasticsearch Guide docs to be located in `docs/reference`. 

**Solution:**
- Move the security, watcher, and Logstash API doc source files to the `docs/reference` directory
- Update doc snippet tests to use security

Rel: https://github.com/elastic/platform-docs-team/issues/208
2023-09-12 14:53:41 -04:00

99 lines
4.3 KiB
Text
Raw Blame History

[role="xpack"]
[[security-api-saml-invalidate]]
=== SAML invalidate API
++++
<titleabbrev>SAML invalidate</titleabbrev>
++++
Submits a SAML LogoutRequest message to {es} for consumption.
NOTE: This API is intended for use by custom web applications other than {kib}.
If you are using {kib}, see the <<saml-guide-stack>>.
[[security-api-saml-invalidate-request]]
==== {api-request-title}
`POST /_security/saml/invalidate`
[[security-api-saml-invalidate-desc]]
==== {api-description-title}
The logout request comes from the SAML IdP during an IdP initiated Single Logout.
The custom web application can use this API to have {es} process the `LogoutRequest`.
After successful validation of the request, {es} invalidates the access token
and refresh token that corresponds to that specific SAML principal and provides
a URL that contains a SAML LogoutResponse message, so that the user can be
redirected back to their IdP.
{es} exposes all the necessary SAML related functionality via the SAML APIs.
These APIs are used internally by {kib} in order to provide SAML based
authentication, but can also be used by other custom web applications or other
clients. See also <<security-api-saml-authenticate,SAML authenticate API>>,
<<security-api-saml-prepare-authentication,SAML prepare authentication API>>,
<<security-api-saml-logout,SAML logout API>>, and
<<security-api-saml-complete-logout, SAML complete logout API>>.
[[security-api-saml-invalidate-request-body]]
==== {api-request-body-title}
`acs`::
(Optional, string) The Assertion Consumer Service URL that matches the one of the SAML
realm in {es} that should be used. You must specify either this parameter or the `realm` parameter.
`query_string`::
(Required, string) The query part of the URL that the user was redirected to by the SAML
IdP to initiate the Single Logout. This query should include a single
parameter named `SAMLRequest` that contains a SAML logout request that is
deflated and Base64 encoded. If the SAML IdP has signed the logout request,
the URL should include two extra parameters named `SigAlg` and `Signature`
that contain the algorithm used for the signature and the signature value itself.
In order for {es} to be able to verify the IdP's signature, the value of the query_string field must be an exact match to the string provided by the browser.
The client application must not attempt to parse or process the string in any way.
`queryString`::
deprecated:[7.14.0, "Use query_string instead"]
See `query_string`.
`realm`::
(Optional, string) The name of the SAML realm in {es} the configuration. You must specify
either this parameter or the `acs` parameter.
[[security-api-saml-invalidate-response-body]]
==== {api-response-body-title}
`invalidated`::
(integer) The number of tokens that were invalidated as part of this logout.
`realm`::
(string) The realm name of the SAML realm in {es} that authenticated the user.
`redirect`::
(string) A SAML logout response as a parameter so that the user can be
redirected back to the SAML IdP.
[[security-api-saml-invalidate-example]]
==== {api-examples-title}
The following example invalidates all the tokens for realm `saml1` pertaining to
the user that is identified in the SAML Logout Request:
[source,console]
--------------------------------------------------
POST /_security/saml/invalidate
{
"query_string" : "SAMLRequest=nZFda4MwFIb%2FiuS%2BmviRpqFaClKQdbvo2g12M2KMraCJ9cRR9utnW4Wyi13sMie873MeznJ1aWrnS3VQGR0j4mLkKC1NUeljjA77zYyhVbIE0dR%2By7fmaHq7U%2BdegXWGpAZ%2B%2F4pR32luBFTAtWgUcCv56%2Fp5y30X87Yz1khTIycdgpUW9kY7WdsC9zxoXTvMvWuVV98YyMnSGH2SYE5pwALBIr9QKiwDGpW0oGVUznGeMyJZKFkQ4jBf5HnhUymjIhzCAL3KNFihbYx8TBYzzGaY7EnIyZwHzCWMfiDnbRIftkSjJr%2BFu0e9v%2B0EgOquRiiZjKpiVFp6j50T4WXoyNJ%2FEWC9fdqc1t%2F1%2B2F3aUpjzhPiXpqMz1%2FHSn4A&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=MsAYz2NFdovMG2mXf6TSpu5vlQQyEJAg%2B4KCwBqJTmrb3yGXKUtIgvjqf88eCAK32v3eN8vupjPC8LglYmke1ZnjK0%2FKxzkvSjTVA7mMQe2AQdKbkyC038zzRq%2FYHcjFDE%2Bz0qISwSHZY2NyLePmwU7SexEXnIz37jKC6NMEhus%3D",
"realm" : "saml1"
}
--------------------------------------------------
// TEST[skip:handled in IT]
[source,js]
--------------------------------------------------
{
"redirect" : "https://my-idp.org/logout/SAMLResponse=....",
"invalidated" : 2,
"realm" : "saml1"
}
--------------------------------------------------
// NOTCONSOLE
Reference in a new issue View git blame Copy permalink