Add SAML IdP plugin for internal use (#54046)

This change merges the "feature-internal-idp" branch into Elasticsearch.

This introduces a small identity-provider plugin as a child of the x-pack module.
This allows ES to act as a SAML IdP, for users who are authenticated against the
Elasticsearch cluster.

This feature is intended for internal use within Elastic Cloud environments
and is not supported for any other use case. It falls under an enterprise license tier.

The IdP is disabled by default.

Co-authored-by: Ioannis Kakavas <ioannis@elastic.co>

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ClientHelper.java

@@ -53,6 +53,7 @@ public final class ClientHelper {
     public static final String ENRICH_ORIGIN = "enrich";
     public static final String TRANSFORM_ORIGIN = "transform";
     public static final String ASYNC_SEARCH_ORIGIN = "async_search";
+    public static final String IDP_ORIGIN = "idp";
 
     private ClientHelper() {}
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityContext.java

@@ -7,7 +7,9 @@ package org.elasticsearch.xpack.core.security;
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.Version;
+import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.common.util.concurrent.ThreadContext.StoredContext;
@@ -41,13 +43,27 @@ public class SecurityContext {
         this.nodeName = Node.NODE_NAME_SETTING.get(settings);
     }
 
+    /**
+     * Returns the current user information, or throws {@link org.elasticsearch.ElasticsearchSecurityException}
+     * if the current request has no authentication information.
+     */
+    public User requireUser() {
+        User user = getUser();
+        if (user == null) {
+            throw new ElasticsearchSecurityException("there is no user available in the current context");
+        }
+        return user;
+    }
+
     /** Returns the current user information, or null if the current request has no authentication info. */
+    @Nullable
     public User getUser() {
         Authentication authentication = getAuthentication();
         return authentication == null ? null : authentication.getUser();
     }
 
     /** Returns the authentication information, or null if the current request has no authentication info. */
+    @Nullable
     public Authentication getAuthentication() {
         try {
             return authenticationSerializer.readFromContext(threadContext);

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/support/SecondaryAuthentication.java

@@ -10,6 +10,7 @@ import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.xpack.core.security.SecurityContext;
 import org.elasticsearch.xpack.core.security.authc.Authentication;
+import org.elasticsearch.xpack.core.security.user.User;
 
 import java.io.IOException;
 import java.util.Objects;
@@ -55,6 +56,10 @@ public class SecondaryAuthentication {
         return authentication;
     }
 
+    public User getUser() {
+        return authentication.getUser();
+    }
+
     public <T> T execute(Function<ThreadContext.StoredContext, T> body) {
         return this.securityContext.executeWithAuthentication(this.authentication, body);
     }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/RestorableContextClassLoader.java → x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/support/RestorableContextClassLoader.java

@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.xpack.security.support;
+package org.elasticsearch.xpack.core.security.support;
 
 import java.security.AccessController;
 import java.security.PrivilegedActionException;

x-pack/plugin/core/src/main/plugin-metadata/plugin-security.policy

@@ -2,6 +2,10 @@ grant {
   // bouncy castle
   permission java.security.SecurityPermission "putProviderProperty.BC";
 
+  // needed in (cf. o.e.x.c.s.s.RestorableContextClassLoader)
+  permission java.lang.RuntimePermission "getClassLoader";
+  permission java.lang.RuntimePermission "setContextClassLoader";
+
   // needed for x-pack security extension
   permission java.security.SecurityPermission "createPolicy.JavaPolicy";
   permission java.security.SecurityPermission "getPolicy";

x-pack/plugin/core/src/main/resources/org/elasticsearch/xpack/idp/saml-service-provider-template.json

@@ -0,0 +1,99 @@
+{
+  "index_patterns": [
+    "saml-service-provider-*"
+  ],
+  "aliases": {
+    "saml-service-provider": {}
+  },
+  "order": 100,
+  "settings": {
+    "number_of_shards": 1,
+    "number_of_replicas": 0,
+    "auto_expand_replicas": "0-1",
+    "index.priority": 10,
+    "index.refresh_interval": "1s",
+    "index.format": 1
+  },
+  "mappings": {
+    "_doc": {
+      "_meta": {
+        "idp-version": "${idp.template.version}"
+      },
+      "dynamic": "strict",
+      "properties": {
+        "name": {
+          "type": "text"
+        },
+        "entity_id": {
+          "type": "keyword"
+        },
+        "acs": {
+          "type": "keyword"
+        },
+        "enabled": {
+          "type": "boolean"
+        },
+        "created": {
+          "type": "date",
+          "format": "epoch_millis"
+        },
+        "last_modified": {
+          "type": "date",
+          "format": "epoch_millis"
+        },
+        "name_id_format": {
+          "type": "keyword"
+        },
+        "sign_messages": {
+          "type": "keyword"
+        },
+        "authn_expiry_ms": {
+          "type": "long"
+        },
+        "privileges": {
+          "type": "object",
+          "properties": {
+            "resource": {
+              "type": "keyword"
+            },
+            "roles": {
+              "type": "object",
+              "dynamic": false
+            }
+          }
+        },
+        "attributes": {
+          "type": "object",
+          "properties": {
+            "principal": {
+              "type": "keyword"
+            },
+            "email": {
+              "type": "keyword"
+            },
+            "name": {
+              "type": "keyword"
+            },
+            "roles": {
+              "type": "keyword"
+            }
+          }
+        },
+        "certificates": {
+          "type": "object",
+          "properties": {
+            "sp_signing": {
+              "type": "text"
+            },
+            "idp_signing": {
+              "type": "text"
+            },
+            "idp_metadata": {
+              "type": "text"
+            }
+          }
+        }
+      }
+    }
+  }
+}

x-pack/plugin/identity-provider/build.gradle

@@ -0,0 +1,368 @@
+evaluationDependsOn(xpackModule('core'))
+
+apply plugin: 'elasticsearch.esplugin'
+apply plugin: 'nebula.maven-scm'
+esplugin {
+  name 'x-pack-identity-provider'
+  description 'Elasticsearch Expanded Pack Plugin - Identity Provider'
+  classname 'org.elasticsearch.xpack.idp.IdentityProviderPlugin'
+  extendedPlugins = ['x-pack-core']
+}
+
+archivesBaseName = 'x-pack-identity-provider'
+
+dependencies {
+  compileOnly project(path: xpackModule('core'), configuration: 'default')
+  testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')
+  // So that we can extend LocalStateCompositeXPackPlugin
+  testCompile project(path: xpackModule('security'), configuration: 'testArtifacts')
+
+  // the following are all SAML dependencies - might as well download the whole internet
+  compile "org.opensaml:opensaml-core:3.4.5"
+  compile "org.opensaml:opensaml-saml-api:3.4.5"
+  compile "org.opensaml:opensaml-saml-impl:3.4.5"
+  compile "org.opensaml:opensaml-messaging-api:3.4.5"
+  compile "org.opensaml:opensaml-messaging-impl:3.4.5"
+  compile "org.opensaml:opensaml-security-api:3.4.5"
+  compile "org.opensaml:opensaml-security-impl:3.4.5"
+  compile "org.opensaml:opensaml-profile-api:3.4.5"
+  compile "org.opensaml:opensaml-profile-impl:3.4.5"
+  compile "org.opensaml:opensaml-xmlsec-api:3.4.5"
+  compile "org.opensaml:opensaml-xmlsec-impl:3.4.5"
+  compile "org.opensaml:opensaml-soap-api:3.4.5"
+  compile "org.opensaml:opensaml-soap-impl:3.4.5"
+  compile "org.opensaml:opensaml-storage-api:3.4.5"
+  compile "org.opensaml:opensaml-storage-impl:3.4.5"
+  compile "net.shibboleth.utilities:java-support:7.5.1"
+  compile "org.apache.santuario:xmlsec:2.1.4"
+  compile "io.dropwizard.metrics:metrics-core:3.2.2"
+  compile ("org.cryptacular:cryptacular:1.2.4") {
+      exclude group: 'org.bouncycastle'
+  }
+  compile "org.slf4j:slf4j-api:${versions.slf4j}"
+  compile "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}"
+  compile "org.apache.httpcomponents:httpclient:${versions.httpclient}"
+  compile "org.apache.httpcomponents:httpcore:${versions.httpcore}"
+  compile "org.apache.httpcomponents:httpasyncclient:${versions.httpasyncclient}"
+  compile "org.apache.httpcomponents:httpcore-nio:${versions.httpcore}"
+  compile "org.apache.httpcomponents:httpclient-cache:${versions.httpclient}"
+  compile 'com.google.guava:guava:19.0'
+
+  testCompile 'org.elasticsearch:securemock:1.2'
+  testCompile "org.elasticsearch:mocksocket:${versions.mocksocket}"
+}
+
+compileJava.options.compilerArgs << "-Xlint:-rawtypes,-unchecked"
+compileTestJava.options.compilerArgs << "-Xlint:-rawtypes,-unchecked"
+
+dependencyLicenses {
+  mapping from: /java-support|opensaml-.*/, to: 'shibboleth'
+  mapping from: /http.*/, to: 'httpclient'
+}
+
+forbiddenPatterns {
+  exclude '**/*.key'
+  exclude '**/*.p12'
+  exclude '**/*.der'
+  exclude '**/*.zip'
+}
+
+forbiddenApisMain {
+  signaturesFiles += files('forbidden/xml-signatures.txt')
+}
+
+// classes are missing, e.g. com.ibm.icu.lang.UCharacter
+thirdPartyAudit {
+    ignoreMissingClasses (
+        // SAML dependencies
+        // [missing classes] Some cli utilities that we don't use depend on these missing JCommander classes
+        'com.beust.jcommander.JCommander',
+        'com.beust.jcommander.converters.BaseConverter',
+        // [missing classes] Shibboleth + OpenSAML have servlet support that we don't use
+        'javax.servlet.AsyncContext',
+        'javax.servlet.DispatcherType',
+        'javax.servlet.Filter',
+        'javax.servlet.FilterChain',
+        'javax.servlet.FilterConfig',
+        'javax.servlet.RequestDispatcher',
+        'javax.servlet.ServletContext',
+        'javax.servlet.ServletException',
+        'javax.servlet.ServletInputStream',
+        'javax.servlet.ServletOutputStream',
+        'javax.servlet.ServletRequest',
+        'javax.servlet.ServletResponse',
+        'javax.servlet.http.Cookie',
+        'javax.servlet.http.HttpServletRequest',
+        'javax.servlet.http.HttpServletResponse',
+        'javax.servlet.http.HttpServletResponseWrapper',
+        'javax.servlet.http.HttpSession',
+        'javax.servlet.http.Part',
+        // [missing classes] Shibboleth + OpenSAML have velocity support that we don't use
+        'org.apache.velocity.VelocityContext',
+        'org.apache.velocity.app.VelocityEngine',
+        'org.apache.velocity.context.Context',
+        'org.apache.velocity.exception.VelocityException',
+        'org.apache.velocity.runtime.RuntimeServices',
+        'org.apache.velocity.runtime.log.LogChute',
+        'org.apache.velocity.runtime.resource.loader.StringResourceLoader',
+        'org.apache.velocity.runtime.resource.util.StringResourceRepository',
+        // [missing classes] OpenSAML depends on Apache XML security which depends on Xalan, but only for functionality that OpenSAML doesn't use
+        'org.apache.xml.dtm.DTM',
+        'org.apache.xml.utils.PrefixResolver',
+        'org.apache.xml.utils.PrefixResolverDefault',
+        'org.apache.xpath.Expression',
+        'org.apache.xpath.NodeSetDTM',
+        'org.apache.xpath.XPath',
+        'org.apache.xpath.XPathContext',
+        'org.apache.xpath.compiler.FunctionTable',
+        'org.apache.xpath.functions.Function',
+        'org.apache.xpath.objects.XNodeSet',
+        'org.apache.xpath.objects.XObject',
+        // [missing classes] OpenSAML storage has an optional LDAP storage impl
+        'org.ldaptive.AttributeModification',
+        'org.ldaptive.AttributeModificationType',
+        'org.ldaptive.Connection',
+        'org.ldaptive.DeleteOperation',
+        'org.ldaptive.DeleteRequest',
+        'org.ldaptive.LdapAttribute',
+        'org.ldaptive.LdapEntry',
+        'org.ldaptive.LdapException',
+        'org.ldaptive.ModifyOperation',
+        'org.ldaptive.ModifyRequest',
+        'org.ldaptive.Response',
+        'org.ldaptive.ResultCode',
+        'org.ldaptive.SearchOperation',
+        'org.ldaptive.SearchRequest',
+        'org.ldaptive.SearchResult',
+        'org.ldaptive.ext.MergeOperation',
+        'org.ldaptive.ext.MergeRequest',
+        'org.ldaptive.pool.ConnectionPool',
+        'org.ldaptive.pool.PooledConnectionFactory',
+        // [missing classes] OpenSAML storage has an optional JSON-backed storage impl
+        'javax.json.Json',
+        'javax.json.JsonException',
+        'javax.json.JsonNumber',
+        'javax.json.JsonObject',
+        'javax.json.JsonReader',
+        'javax.json.JsonValue$ValueType',
+        'javax.json.JsonValue',
+        'javax.json.stream.JsonGenerator',
+        // [missing classes] OpenSAML storage has an optional JPA storage impl
+        'javax.persistence.EntityManager',
+        'javax.persistence.EntityManagerFactory',
+        'javax.persistence.EntityTransaction',
+        'javax.persistence.LockModeType',
+        'javax.persistence.Query',
+        // [missing classes] OpenSAML storage and HttpClient cache have optional memcache support
+        'net.spy.memcached.CASResponse',
+        'net.spy.memcached.CASValue',
+        'net.spy.memcached.MemcachedClient',
+        'net.spy.memcached.MemcachedClientIF',
+        'net.spy.memcached.CachedData',
+        'net.spy.memcached.internal.OperationFuture',
+        'net.spy.memcached.transcoders.Transcoder',
+        // [missing classes] Http Client cache has optional ehcache support
+        'net.sf.ehcache.Ehcache',
+        'net.sf.ehcache.Element',
+        // [missing classes] SLF4j includes an optional class that depends on an extension class (!)
+        'org.slf4j.ext.EventData',
+        // Bouncycastle is an optional dependency for apache directory, cryptacular and opensaml packages. We
+        // acknowledge them here instead of adding bouncy castle as a compileOnly dependency
+        'org.bouncycastle.asn1.ASN1Encodable',
+        'org.bouncycastle.asn1.ASN1InputStream',
+        'org.bouncycastle.asn1.ASN1Integer',
+        'org.bouncycastle.asn1.ASN1ObjectIdentifier',
+        'org.bouncycastle.asn1.ASN1OctetString',
+        'org.bouncycastle.asn1.ASN1Primitive',
+        'org.bouncycastle.asn1.ASN1Sequence',
+        'org.bouncycastle.asn1.ASN1TaggedObject',
+        'org.bouncycastle.asn1.DEROctetString',
+        'org.bouncycastle.asn1.DERSequence',
+        'org.bouncycastle.asn1.pkcs.EncryptedPrivateKeyInfo',
+        'org.bouncycastle.asn1.pkcs.EncryptionScheme',
+        'org.bouncycastle.asn1.pkcs.KeyDerivationFunc',
+        'org.bouncycastle.asn1.pkcs.PBEParameter',
+        'org.bouncycastle.asn1.pkcs.PBES2Parameters',
+        'org.bouncycastle.asn1.pkcs.PBKDF2Params',
+        'org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers',
+        'org.bouncycastle.asn1.pkcs.PrivateKeyInfo',
+        'org.bouncycastle.asn1.x500.AttributeTypeAndValue',
+        'org.bouncycastle.asn1.x500.RDN',
+        'org.bouncycastle.asn1.x500.X500Name',
+        'org.bouncycastle.asn1.x509.AccessDescription',
+        'org.bouncycastle.asn1.x509.AlgorithmIdentifier',
+        'org.bouncycastle.asn1.x509.AuthorityKeyIdentifier',
+        'org.bouncycastle.asn1.x509.BasicConstraints',
+        'org.bouncycastle.asn1.x509.DistributionPoint',
+        'org.bouncycastle.asn1.x509.Extension',
+        'org.bouncycastle.asn1.x509.GeneralName',
+        'org.bouncycastle.asn1.x509.GeneralNames',
+        'org.bouncycastle.asn1.x509.GeneralNamesBuilder',
+        'org.bouncycastle.asn1.x509.KeyPurposeId',
+        'org.bouncycastle.asn1.x509.KeyUsage',
+        'org.bouncycastle.asn1.x509.PolicyInformation',
+        'org.bouncycastle.asn1.x509.SubjectKeyIdentifier',
+        'org.bouncycastle.asn1.x509.SubjectPublicKeyInfo',
+        'org.bouncycastle.asn1.x9.X9ECParameters',
+        'org.bouncycastle.cert.X509v3CertificateBuilder',
+        'org.bouncycastle.cert.jcajce.JcaX509CertificateConverter',
+        'org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils',
+        'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder',
+        'org.bouncycastle.crypto.BlockCipher',
+        'org.bouncycastle.crypto.BufferedBlockCipher',
+        'org.bouncycastle.crypto.CipherParameters',
+        'org.bouncycastle.crypto.Digest',
+        'org.bouncycastle.crypto.PBEParametersGenerator',
+        'org.bouncycastle.crypto.StreamCipher',
+        'org.bouncycastle.crypto.digests.GOST3411Digest',
+        'org.bouncycastle.crypto.digests.MD2Digest',
+        'org.bouncycastle.crypto.digests.MD4Digest',
+        'org.bouncycastle.crypto.digests.MD5Digest',
+        'org.bouncycastle.crypto.digests.RIPEMD128Digest',
+        'org.bouncycastle.crypto.digests.RIPEMD160Digest',
+        'org.bouncycastle.crypto.digests.RIPEMD256Digest',
+        'org.bouncycastle.crypto.digests.RIPEMD320Digest',
+        'org.bouncycastle.crypto.digests.SHA1Digest',
+        'org.bouncycastle.crypto.digests.SHA224Digest',
+        'org.bouncycastle.crypto.digests.SHA256Digest',
+        'org.bouncycastle.crypto.digests.SHA384Digest',
+        'org.bouncycastle.crypto.digests.SHA3Digest',
+        'org.bouncycastle.crypto.digests.SHA512Digest',
+        'org.bouncycastle.crypto.digests.TigerDigest',
+        'org.bouncycastle.crypto.digests.WhirlpoolDigest',
+        'org.bouncycastle.crypto.engines.AESEngine',
+        'org.bouncycastle.crypto.engines.BlowfishEngine',
+        'org.bouncycastle.crypto.engines.CAST5Engine',
+        'org.bouncycastle.crypto.engines.CAST6Engine',
+        'org.bouncycastle.crypto.engines.CamelliaEngine',
+        'org.bouncycastle.crypto.engines.DESEngine',
+        'org.bouncycastle.crypto.engines.DESedeEngine',
+        'org.bouncycastle.crypto.engines.GOST28147Engine',
+        'org.bouncycastle.crypto.engines.Grain128Engine',
+        'org.bouncycastle.crypto.engines.HC128Engine',
+        'org.bouncycastle.crypto.engines.HC256Engine',
+        'org.bouncycastle.crypto.engines.ISAACEngine',
+        'org.bouncycastle.crypto.engines.NoekeonEngine',
+        'org.bouncycastle.crypto.engines.RC2Engine',
+        'org.bouncycastle.crypto.engines.RC4Engine',
+        'org.bouncycastle.crypto.engines.RC532Engine',
+        'org.bouncycastle.crypto.engines.RC564Engine',
+        'org.bouncycastle.crypto.engines.RC6Engine',
+        'org.bouncycastle.crypto.engines.SEEDEngine',
+        'org.bouncycastle.crypto.engines.Salsa20Engine',
+        'org.bouncycastle.crypto.engines.SerpentEngine',
+        'org.bouncycastle.crypto.engines.SkipjackEngine',
+        'org.bouncycastle.crypto.engines.TEAEngine',
+        'org.bouncycastle.crypto.engines.TwofishEngine',
+        'org.bouncycastle.crypto.engines.VMPCEngine',
+        'org.bouncycastle.crypto.engines.XTEAEngine',
+        'org.bouncycastle.crypto.generators.BCrypt',
+        'org.bouncycastle.crypto.generators.OpenSSLPBEParametersGenerator',
+        'org.bouncycastle.crypto.generators.PKCS5S1ParametersGenerator',
+        'org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator',
+        'org.bouncycastle.crypto.io.CipherInputStream',
+        'org.bouncycastle.crypto.io.CipherOutputStream',
+        'org.bouncycastle.crypto.macs.HMac',
+        'org.bouncycastle.crypto.modes.AEADBlockCipher',
+        'org.bouncycastle.crypto.modes.CBCBlockCipher',
+        'org.bouncycastle.crypto.modes.CCMBlockCipher',
+        'org.bouncycastle.crypto.modes.CFBBlockCipher',
+        'org.bouncycastle.crypto.modes.EAXBlockCipher',
+        'org.bouncycastle.crypto.modes.GCMBlockCipher',
+        'org.bouncycastle.crypto.modes.OCBBlockCipher',
+        'org.bouncycastle.crypto.modes.OFBBlockCipher',
+        'org.bouncycastle.crypto.paddings.BlockCipherPadding',
+        'org.bouncycastle.crypto.paddings.ISO10126d2Padding',
+        'org.bouncycastle.crypto.paddings.ISO7816d4Padding',
+        'org.bouncycastle.crypto.paddings.PKCS7Padding',
+        'org.bouncycastle.crypto.paddings.PaddedBufferedBlockCipher',
+        'org.bouncycastle.crypto.paddings.TBCPadding',
+        'org.bouncycastle.crypto.paddings.X923Padding',
+        'org.bouncycastle.crypto.paddings.ZeroBytePadding',
+        'org.bouncycastle.crypto.params.AEADParameters',
+        'org.bouncycastle.crypto.params.AsymmetricKeyParameter',
+        'org.bouncycastle.crypto.params.DSAKeyParameters',
+        'org.bouncycastle.crypto.params.DSAParameters',
+        'org.bouncycastle.crypto.params.DSAPrivateKeyParameters',
+        'org.bouncycastle.crypto.params.DSAPublicKeyParameters',
+        'org.bouncycastle.crypto.params.ECDomainParameters',
+        'org.bouncycastle.crypto.params.ECKeyParameters',
+        'org.bouncycastle.crypto.params.ECPrivateKeyParameters',
+        'org.bouncycastle.crypto.params.ECPublicKeyParameters',
+        'org.bouncycastle.crypto.params.KeyParameter',
+        'org.bouncycastle.crypto.params.ParametersWithIV',
+        'org.bouncycastle.crypto.params.RC2Parameters',
+        'org.bouncycastle.crypto.params.RC5Parameters',
+        'org.bouncycastle.crypto.params.RSAKeyParameters',
+        'org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters',
+        'org.bouncycastle.crypto.prng.EntropySource',
+        'org.bouncycastle.crypto.prng.SP800SecureRandom',
+        'org.bouncycastle.crypto.prng.SP800SecureRandomBuilder',
+        'org.bouncycastle.crypto.prng.drbg.HashSP800DRBG',
+        'org.bouncycastle.crypto.prng.drbg.SP80090DRBG',
+        'org.bouncycastle.crypto.signers.DSASigner',
+        'org.bouncycastle.crypto.signers.ECDSASigner',
+        'org.bouncycastle.crypto.signers.RSADigestSigner',
+        'org.bouncycastle.crypto.util.PrivateKeyFactory',
+        'org.bouncycastle.crypto.util.PrivateKeyInfoFactory',
+        'org.bouncycastle.crypto.util.PublicKeyFactory',
+        'org.bouncycastle.crypto.util.SubjectPublicKeyInfoFactory',
+        'org.bouncycastle.jcajce.provider.asymmetric.dsa.KeyPairGeneratorSpi',
+        'org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi$EC',
+        'org.bouncycastle.jcajce.provider.asymmetric.rsa.KeyPairGeneratorSpi',
+        'org.bouncycastle.jcajce.provider.asymmetric.util.EC5Util',
+        'org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil',
+        'org.bouncycastle.jce.spec.ECNamedCurveGenParameterSpec',
+        'org.bouncycastle.math.ec.ECFieldElement',
+        'org.bouncycastle.math.ec.ECPoint',
+        'org.bouncycastle.openssl.jcajce.JcaPEMWriter',
+        'org.bouncycastle.operator.jcajce.JcaContentSignerBuilder',
+        'org.bouncycastle.util.Arrays',
+        'org.bouncycastle.util.Strings',
+        'org.bouncycastle.util.io.Streams',
+        'org.bouncycastle.x509.extension.X509ExtensionUtil'
+    )
+
+  ignoreViolations(
+    // Guava uses internal java api: sun.misc.Unsafe
+    'com.google.common.cache.Striped64',
+    'com.google.common.cache.Striped64$1',
+    'com.google.common.cache.Striped64$Cell',
+    'com.google.common.primitives.UnsignedBytes$LexicographicalComparatorHolder$UnsafeComparator',
+    'com.google.common.primitives.UnsignedBytes$LexicographicalComparatorHolder$UnsafeComparator$1',
+    'com.google.common.util.concurrent.AbstractFuture$UnsafeAtomicHelper',
+    'com.google.common.util.concurrent.AbstractFuture$UnsafeAtomicHelper$1',
+  )
+}
+
+thirdPartyAudit.ignoreMissingClasses(
+  'javax.xml.bind.JAXBContext',
+  'javax.xml.bind.JAXBElement',
+  'javax.xml.bind.JAXBException',
+  'javax.xml.bind.Unmarshaller',
+  'javax.xml.bind.UnmarshallerHandler',
+)
+
+
+test {
+  /*
+   * We have to disable setting the number of available processors as tests in the same JVM randomize processors and will step on each
+   * other if we allow them to set the number of available processors as it's set-once in Netty.
+   */
+  systemProperty 'es.set.netty.runtime.available.processors', 'false'
+}
+
+// xpack modules are installed in real clusters as the meta plugin, so
+// installing them as individual plugins for integ tests doesn't make sense,
+// so we disable integ tests
+integTest.enabled = false
+
+// add all sub-projects of the qa sub-project
+gradle.projectsEvaluated {
+  project.subprojects
+    .find { it.path == project.path + ":qa" }
+    .subprojects
+    .findAll { it.path.startsWith(project.path + ":qa") }
+    .each { check.dependsOn it.check }
+}
+

x-pack/plugin/identity-provider/forbidden/xml-signatures.txt

@@ -0,0 +1,8 @@
+@defaultMessage DocumentBuilderFactory should not be used directly. (See x-pack-security SamlUtils#getHardenedDocumentBuilder if you ever need one)
+javax.xml.parsers.DocumentBuilderFactory#newInstance()
+javax.xml.parsers.DocumentBuilderFactory#newInstance(java.lang.String, java.lang.ClassLoader)
+
+@defaultMessage TransformerFactory should not be used directly. Use IdPSamlTestCase#getHardenedXMLTransformer() instead.
+javax.xml.transform.TransformerFactory#newInstance()
+javax.xml.transform.TransformerFactory#newInstance(java.lang.String, java.lang.ClassLoader)
+

x-pack/plugin/identity-provider/licenses/cryptacular-1.2.4.jar.sha1

@@ -0,0 +1 @@
+4994c015d87886212683245d13e87f6fb903a760

x-pack/plugin/identity-provider/licenses/cryptacular-LICENSE.txt

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

x-pack/plugin/identity-provider/licenses/cryptacular-NOTICE.txt

@@ -0,0 +1,710 @@
+
+
+
+
+
+
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+  <link rel="dns-prefetch" href="https://assets-cdn.github.com">
+  <link rel="dns-prefetch" href="https://avatars0.githubusercontent.com">
+  <link rel="dns-prefetch" href="https://avatars1.githubusercontent.com">
+  <link rel="dns-prefetch" href="https://avatars2.githubusercontent.com">
+  <link rel="dns-prefetch" href="https://avatars3.githubusercontent.com">
+  <link rel="dns-prefetch" href="https://github-cloud.s3.amazonaws.com">
+  <link rel="dns-prefetch" href="https://user-images.githubusercontent.com/">
+
+
+
+  <link crossorigin="anonymous" href="https://assets-cdn.github.com/assets/frameworks-2d2d4c150f7000385741c6b992b302689ecd172246c6428904e0813be9bceca6.css" media="all" rel="stylesheet" />
+  <link crossorigin="anonymous" href="https://assets-cdn.github.com/assets/github-0522ae8d3b3bdc841d2f91f90efd5f1fd9040d910905674cd134ced43a6dfea6.css" media="all" rel="stylesheet" />
+  
+  
+  <link crossorigin="anonymous" href="https://assets-cdn.github.com/assets/site-cfab053e93f0e27f4c63d4ff6b7957bd25f711667fe678e747f8a4d88c47b38d.css" media="all" rel="stylesheet" />
+  
+
+  <meta name="viewport" content="width=device-width">
+  
+  <title>cryptacular/NOTICE at master · vt-middleware/cryptacular · GitHub</title>
+  <link rel="search" type="application/opensearchdescription+xml" href="/opensearch.xml" title="GitHub">
+  <link rel="fluid-icon" href="https://github.com/fluidicon.png" title="GitHub">
+  <meta property="fb:app_id" content="1401488693436528">
+
+    
+    <meta content="https://avatars7.githubusercontent.com/u/6122907?v=4&amp;s=400" property="og:image" /><meta content="GitHub" property="og:site_name" /><meta content="object" property="og:type" /><meta content="vt-middleware/cryptacular" property="og:title" /><meta content="https://github.com/vt-middleware/cryptacular" property="og:url" /><meta content="cryptacular - The friendly complement to the BouncyCastle crypto API for Java." property="og:description" />
+
+  <link rel="assets" href="https://assets-cdn.github.com/">
+  
+  <meta name="pjax-timeout" content="1000">
+  
+  <meta name="request-id" content="E0E4:26F16:12A5AE6:1D11801:596C7978" data-pjax-transient>
+  
+
+  <meta name="selected-link" value="repo_source" data-pjax-transient>
+
+  <meta name="google-site-verification" content="KT5gs8h0wvaagLKAVWq8bbeNwnZZK1r1XQysX3xurLU">
+<meta name="google-site-verification" content="ZzhVyEFwb7w3e0-uOTltm8Jsck2F5StVihD0exw2fsA">
+    <meta name="google-analytics" content="UA-3769691-2">
+
+<meta content="collector.githubapp.com" name="octolytics-host" /><meta content="github" name="octolytics-app-id" /><meta content="https://collector.githubapp.com/github-external/browser_event" name="octolytics-event-url" /><meta content="E0E4:26F16:12A5AE6:1D11801:596C7978" name="octolytics-dimension-request_id" /><meta content="sea" name="octolytics-dimension-region_edge" /><meta content="iad" name="octolytics-dimension-region_render" />
+<meta content="/&lt;user-name&gt;/&lt;repo-name&gt;/blob/show" data-pjax-transient="true" name="analytics-location" />
+
+
+
+
+  <meta class="js-ga-set" name="dimension1" content="Logged Out">
+
+
+  
+
+      <meta name="hostname" content="github.com">
+  <meta name="user-login" content="">
+
+      <meta name="expected-hostname" content="github.com">
+    <meta name="js-proxy-site-detection-payload" content="N2ZhMjk0NTA4MjI1NmZhYTVlNzM5NzVjZmFkOWY2NGFkNmMxYzcyMGViNzAzZGQxMGMzZmJhZDQ3YWZiZTI0OHx7InJlbW90ZV9hZGRyZXNzIjoiMTEwLjIwLjIyMC4xMzUiLCJyZXF1ZXN0X2lkIjoiRTBFNDoyNkYxNjoxMkE1QUU2OjFEMTE4MDE6NTk2Qzc5NzgiLCJ0aW1lc3RhbXAiOjE1MDAyODEyMDgsImhvc3QiOiJnaXRodWIuY29tIn0=">
+
+
+  <meta name="html-safe-nonce" content="5aa226b80a18dc40894e1d405e4eb31cfca7d616">
+
+  <meta http-equiv="x-pjax-version" content="f682644ce1bb9629b9d9d9bedf64801b">
+  
+
+      <link href="https://github.com/vt-middleware/cryptacular/commits/master.atom" rel="alternate" title="Recent Commits to cryptacular:master" type="application/atom+xml">
+
+  <meta name="description" content="cryptacular - The friendly complement to the BouncyCastle crypto API for Java.">
+  <meta name="go-import" content="github.com/vt-middleware/cryptacular git https://github.com/vt-middleware/cryptacular.git">
+
+  <meta content="6122907" name="octolytics-dimension-user_id" /><meta content="vt-middleware" name="octolytics-dimension-user_login" /><meta content="15714989" name="octolytics-dimension-repository_id" /><meta content="vt-middleware/cryptacular" name="octolytics-dimension-repository_nwo" /><meta content="true" name="octolytics-dimension-repository_public" /><meta content="false" name="octolytics-dimension-repository_is_fork" /><meta content="15714989" name="octolytics-dimension-repository_network_root_id" /><meta content="vt-middleware/cryptacular" name="octolytics-dimension-repository_network_root_nwo" /><meta content="false" name="octolytics-dimension-repository_explore_github_marketplace_ci_cta_shown" />
+
+
+    <link rel="canonical" href="https://github.com/vt-middleware/cryptacular/blob/master/NOTICE" data-pjax-transient>
+
+
+  <meta name="browser-stats-url" content="https://api.github.com/_private/browser/stats">
+
+  <meta name="browser-errors-url" content="https://api.github.com/_private/browser/errors">
+
+  <link rel="mask-icon" href="https://assets-cdn.github.com/pinned-octocat.svg" color="#000000">
+  <link rel="icon" type="image/x-icon" href="https://assets-cdn.github.com/favicon.ico">
+
+<meta name="theme-color" content="#1e2327">
+
+
+
+  </head>
+
+  <body class="logged-out env-production page-blob">
+    
+
+
+
+  <div class="position-relative js-header-wrapper ">
+    <a href="#start-of-content" tabindex="1" class="px-2 py-4 show-on-focus js-skip-to-content">Skip to content</a>
+    <div id="js-pjax-loader-bar" class="pjax-loader-bar"><div class="progress"></div></div>
+
+    
+    
+    
+
+
+
+          <header class="site-header js-details-container Details" role="banner">
+  <div class="site-nav-container">
+    <a class="header-logo-invertocat" href="https://github.com/" aria-label="Homepage" data-ga-click="(Logged out) Header, go to homepage, icon:logo-wordmark">
+      <svg aria-hidden="true" class="octicon octicon-mark-github" height="32" version="1.1" viewBox="0 0 16 16" width="32"><path fill-rule="evenodd" d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0 0 16 8c0-4.42-3.58-8-8-8z"/></svg>
+    </a>
+
+    <button class="btn-link float-right site-header-toggle js-details-target" type="button" aria-label="Toggle navigation" aria-expanded="false">
+      <svg aria-hidden="true" class="octicon octicon-three-bars" height="24" version="1.1" viewBox="0 0 12 16" width="18"><path fill-rule="evenodd" d="M11.41 9H.59C0 9 0 8.59 0 8c0-.59 0-1 .59-1H11.4c.59 0 .59.41.59 1 0 .59 0 1-.59 1h.01zm0-4H.59C0 5 0 4.59 0 4c0-.59 0-1 .59-1H11.4c.59 0 .59.41.59 1 0 .59 0 1-.59 1h.01zM.59 11H11.4c.59 0 .59.41.59 1 0 .59 0 1-.59 1H.59C0 13 0 12.59 0 12c0-.59 0-1 .59-1z"/></svg>
+    </button>
+
+    <div class="site-header-menu">
+      <nav class="site-header-nav">
+        <a href="/features" class="js-selected-navigation-item nav-item" data-ga-click="Header, click, Nav menu - item:features" data-selected-links="/features /features/code-review /features/project-management /features/integrations /features">
+          Features
+</a>        <a href="/business" class="js-selected-navigation-item nav-item" data-ga-click="Header, click, Nav menu - item:business" data-selected-links="/business /business/security /business/customers /business">
+          Business
+</a>        <a href="/explore" class="js-selected-navigation-item nav-item" data-ga-click="Header, click, Nav menu - item:explore" data-selected-links="/explore /trending /trending/developers /stars /integrations /integrations/feature/code /integrations/feature/collaborate /integrations/feature/ship showcases showcases_search showcases_landing /explore">
+          Explore
+</a>            <a href="/marketplace" class="js-selected-navigation-item nav-item" data-ga-click="Header, click, Nav menu - item:marketplace" data-selected-links=" /marketplace">
+              Marketplace
+</a>        <a href="/pricing" class="js-selected-navigation-item nav-item" data-ga-click="Header, click, Nav menu - item:pricing" data-selected-links="/pricing /pricing/developer /pricing/team /pricing/business-hosted /pricing/business-enterprise /pricing">
+          Pricing
+</a>      </nav>
+
+      <div class="site-header-actions">
+          <div class="header-search scoped-search site-scoped-search js-site-search" role="search">
+  <!-- '"` --><!-- </textarea></xmp> --></option></form><form accept-charset="UTF-8" action="/vt-middleware/cryptacular/search" class="js-site-search-form" data-scoped-search-url="/vt-middleware/cryptacular/search" data-unscoped-search-url="/search" method="get"><div style="margin:0;padding:0;display:inline"><input name="utf8" type="hidden" value="&#x2713;" /></div>
+    <label class="form-control header-search-wrapper js-chromeless-input-container">
+        <a href="/vt-middleware/cryptacular/blob/master/NOTICE" class="header-search-scope no-underline">This repository</a>
+      <input type="text"
+        class="form-control header-search-input js-site-search-focus js-site-search-field is-clearable"
+        data-hotkey="s"
+        name="q"
+        value=""
+        placeholder="Search"
+        aria-label="Search this repository"
+        data-unscoped-placeholder="Search GitHub"
+        data-scoped-placeholder="Search"
+        autocapitalize="off">
+        <input type="hidden" class="js-site-search-type-field" name="type" >
+    </label>
+</form></div>
+
+
+          <a class="text-bold site-header-link" href="/login?return_to=%2Fvt-middleware%2Fcryptacular%2Fblob%2Fmaster%2FNOTICE" data-ga-click="(Logged out) Header, clicked Sign in, text:sign-in">Sign in</a>
+            <span class="text-gray">or</span>
+            <a class="text-bold site-header-link" href="/join?source=header-repo" data-ga-click="(Logged out) Header, clicked Sign up, text:sign-up">Sign up</a>
+      </div>
+    </div>
+  </div>
+</header>
+
+
+  </div>
+
+  <div id="start-of-content" class="show-on-focus"></div>
+
+    <div id="js-flash-container">
+</div>
+
+
+
+  <div role="main">
+        <div itemscope itemtype="http://schema.org/SoftwareSourceCode">
+    <div id="js-repo-pjax-container" data-pjax-container>
+      
+
+
+
+  
+
+
+    <div class="pagehead repohead instapaper_ignore readability-menu experiment-repo-nav">
+      <div class="container repohead-details-container">
+
+        <ul class="pagehead-actions">
+  <li>
+      <a href="/login?return_to=%2Fvt-middleware%2Fcryptacular"
+    class="btn btn-sm btn-with-count tooltipped tooltipped-n"
+    aria-label="You must be signed in to watch a repository" rel="nofollow">
+    <svg aria-hidden="true" class="octicon octicon-eye" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M8.06 2C3 2 0 8 0 8s3 6 8.06 6C13 14 16 8 16 8s-3-6-7.94-6zM8 12c-2.2 0-4-1.78-4-4 0-2.2 1.8-4 4-4 2.22 0 4 1.8 4 4 0 2.22-1.78 4-4 4zm2-4c0 1.11-.89 2-2 2-1.11 0-2-.89-2-2 0-1.11.89-2 2-2 1.11 0 2 .89 2 2z"/></svg>
+    Watch
+  </a>
+  <a class="social-count" href="/vt-middleware/cryptacular/watchers"
+     aria-label="9 users are watching this repository">
+    9
+  </a>
+
+  </li>
+
+  <li>
+      <a href="/login?return_to=%2Fvt-middleware%2Fcryptacular"
+    class="btn btn-sm btn-with-count tooltipped tooltipped-n"
+    aria-label="You must be signed in to star a repository" rel="nofollow">
+    <svg aria-hidden="true" class="octicon octicon-star" height="16" version="1.1" viewBox="0 0 14 16" width="14"><path fill-rule="evenodd" d="M14 6l-4.9-.64L7 1 4.9 5.36 0 6l3.6 3.26L2.67 14 7 11.67 11.33 14l-.93-4.74z"/></svg>
+    Star
+  </a>
+
+    <a class="social-count js-social-count" href="/vt-middleware/cryptacular/stargazers"
+      aria-label="15 users starred this repository">
+      15
+    </a>
+
+  </li>
+
+  <li>
+      <a href="/login?return_to=%2Fvt-middleware%2Fcryptacular"
+        class="btn btn-sm btn-with-count tooltipped tooltipped-n"
+        aria-label="You must be signed in to fork a repository" rel="nofollow">
+        <svg aria-hidden="true" class="octicon octicon-repo-forked" height="16" version="1.1" viewBox="0 0 10 16" width="10"><path fill-rule="evenodd" d="M8 1a1.993 1.993 0 0 0-1 3.72V6L5 8 3 6V4.72A1.993 1.993 0 0 0 2 1a1.993 1.993 0 0 0-1 3.72V6.5l3 3v1.78A1.993 1.993 0 0 0 5 15a1.993 1.993 0 0 0 1-3.72V9.5l3-3V4.72A1.993 1.993 0 0 0 8 1zM2 4.2C1.34 4.2.8 3.65.8 3c0-.65.55-1.2 1.2-1.2.65 0 1.2.55 1.2 1.2 0 .65-.55 1.2-1.2 1.2zm3 10c-.66 0-1.2-.55-1.2-1.2 0-.65.55-1.2 1.2-1.2.65 0 1.2.55 1.2 1.2 0 .65-.55 1.2-1.2 1.2zm3-10c-.66 0-1.2-.55-1.2-1.2 0-.65.55-1.2 1.2-1.2.65 0 1.2.55 1.2 1.2 0 .65-.55 1.2-1.2 1.2z"/></svg>
+        Fork
+      </a>
+
+    <a href="/vt-middleware/cryptacular/network" class="social-count"
+       aria-label="1 user forked this repository">
+      1
+    </a>
+  </li>
+</ul>
+
+        <h1 class="public ">
+  <svg aria-hidden="true" class="octicon octicon-repo" height="16" version="1.1" viewBox="0 0 12 16" width="12"><path fill-rule="evenodd" d="M4 9H3V8h1v1zm0-3H3v1h1V6zm0-2H3v1h1V4zm0-2H3v1h1V2zm8-1v12c0 .55-.45 1-1 1H6v2l-1.5-1.5L3 16v-2H1c-.55 0-1-.45-1-1V1c0-.55.45-1 1-1h10c.55 0 1 .45 1 1zm-1 10H1v2h2v-1h3v1h5v-2zm0-10H2v9h9V1z"/></svg>
+  <span class="author" itemprop="author"><a href="/vt-middleware" class="url fn" rel="author">vt-middleware</a></span><!--
+--><span class="path-divider">/</span><!--
+--><strong itemprop="name"><a href="/vt-middleware/cryptacular" data-pjax="#js-repo-pjax-container">cryptacular</a></strong>
+
+</h1>
+
+      </div>
+      <div class="container">
+        
+<nav class="reponav js-repo-nav js-sidenav-container-pjax"
+     itemscope
+     itemtype="http://schema.org/BreadcrumbList"
+     role="navigation"
+     data-pjax="#js-repo-pjax-container">
+
+  <span itemscope itemtype="http://schema.org/ListItem" itemprop="itemListElement">
+    <a href="/vt-middleware/cryptacular" class="js-selected-navigation-item selected reponav-item" data-hotkey="g c" data-selected-links="repo_source repo_downloads repo_commits repo_releases repo_tags repo_branches /vt-middleware/cryptacular" itemprop="url">
+      <svg aria-hidden="true" class="octicon octicon-code" height="16" version="1.1" viewBox="0 0 14 16" width="14"><path fill-rule="evenodd" d="M9.5 3L8 4.5 11.5 8 8 11.5 9.5 13 14 8 9.5 3zm-5 0L0 8l4.5 5L6 11.5 2.5 8 6 4.5 4.5 3z"/></svg>
+      <span itemprop="name">Code</span>
+      <meta itemprop="position" content="1">
+</a>  </span>
+
+    <span itemscope itemtype="http://schema.org/ListItem" itemprop="itemListElement">
+      <a href="/vt-middleware/cryptacular/issues" class="js-selected-navigation-item reponav-item" data-hotkey="g i" data-selected-links="repo_issues repo_labels repo_milestones /vt-middleware/cryptacular/issues" itemprop="url">
+        <svg aria-hidden="true" class="octicon octicon-issue-opened" height="16" version="1.1" viewBox="0 0 14 16" width="14"><path fill-rule="evenodd" d="M7 2.3c3.14 0 5.7 2.56 5.7 5.7s-2.56 5.7-5.7 5.7A5.71 5.71 0 0 1 1.3 8c0-3.14 2.56-5.7 5.7-5.7zM7 1C3.14 1 0 4.14 0 8s3.14 7 7 7 7-3.14 7-7-3.14-7-7-7zm1 3H6v5h2V4zm0 6H6v2h2v-2z"/></svg>
+        <span itemprop="name">Issues</span>
+        <span class="Counter">4</span>
+        <meta itemprop="position" content="2">
+</a>    </span>
+
+  <span itemscope itemtype="http://schema.org/ListItem" itemprop="itemListElement">
+    <a href="/vt-middleware/cryptacular/pulls" class="js-selected-navigation-item reponav-item" data-hotkey="g p" data-selected-links="repo_pulls /vt-middleware/cryptacular/pulls" itemprop="url">
+      <svg aria-hidden="true" class="octicon octicon-git-pull-request" height="16" version="1.1" viewBox="0 0 12 16" width="12"><path fill-rule="evenodd" d="M11 11.28V5c-.03-.78-.34-1.47-.94-2.06C9.46 2.35 8.78 2.03 8 2H7V0L4 3l3 3V4h1c.27.02.48.11.69.31.21.2.3.42.31.69v6.28A1.993 1.993 0 0 0 10 15a1.993 1.993 0 0 0 1-3.72zm-1 2.92c-.66 0-1.2-.55-1.2-1.2 0-.65.55-1.2 1.2-1.2.65 0 1.2.55 1.2 1.2 0 .65-.55 1.2-1.2 1.2zM4 3c0-1.11-.89-2-2-2a1.993 1.993 0 0 0-1 3.72v6.56A1.993 1.993 0 0 0 2 15a1.993 1.993 0 0 0 1-3.72V4.72c.59-.34 1-.98 1-1.72zm-.8 10c0 .66-.55 1.2-1.2 1.2-.65 0-1.2-.55-1.2-1.2 0-.65.55-1.2 1.2-1.2.65 0 1.2.55 1.2 1.2zM2 4.2C1.34 4.2.8 3.65.8 3c0-.65.55-1.2 1.2-1.2.65 0 1.2.55 1.2 1.2 0 .65-.55 1.2-1.2 1.2z"/></svg>
+      <span itemprop="name">Pull requests</span>
+      <span class="Counter">1</span>
+      <meta itemprop="position" content="3">
+</a>  </span>
+
+    <a href="/vt-middleware/cryptacular/projects" class="js-selected-navigation-item reponav-item" data-selected-links="repo_projects new_repo_project repo_project /vt-middleware/cryptacular/projects">
+      <svg aria-hidden="true" class="octicon octicon-project" height="16" version="1.1" viewBox="0 0 15 16" width="15"><path fill-rule="evenodd" d="M10 12h3V2h-3v10zm-4-2h3V2H6v8zm-4 4h3V2H2v12zm-1 1h13V1H1v14zM14 0H1a1 1 0 0 0-1 1v14a1 1 0 0 0 1 1h13a1 1 0 0 0 1-1V1a1 1 0 0 0-1-1z"/></svg>
+      Projects
+      <span class="Counter" >0</span>
+</a>
+
+
+    <div class="reponav-dropdown js-menu-container">
+      <button type="button" class="btn-link reponav-item reponav-dropdown js-menu-target " data-no-toggle aria-expanded="false" aria-haspopup="true">
+        Insights
+        <svg aria-hidden="true" class="octicon octicon-triangle-down v-align-middle text-gray" height="11" version="1.1" viewBox="0 0 12 16" width="8"><path fill-rule="evenodd" d="M0 5l6 6 6-6z"/></svg>
+      </button>
+      <div class="dropdown-menu-content js-menu-content">
+        <div class="dropdown-menu dropdown-menu-sw">
+          <a class="dropdown-item" href="/vt-middleware/cryptacular/pulse" data-skip-pjax>
+            <svg aria-hidden="true" class="octicon octicon-pulse" height="16" version="1.1" viewBox="0 0 14 16" width="14"><path fill-rule="evenodd" d="M11.5 8L8.8 5.4 6.6 8.5 5.5 1.6 2.38 8H0v2h3.6l.9-1.8.9 5.4L9 8.5l1.6 1.5H14V8z"/></svg>
+            Pulse
+          </a>
+          <a class="dropdown-item" href="/vt-middleware/cryptacular/graphs" data-skip-pjax>
+            <svg aria-hidden="true" class="octicon octicon-graph" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M16 14v1H0V0h1v14h15zM5 13H3V8h2v5zm4 0H7V3h2v10zm4 0h-2V6h2v7z"/></svg>
+            Graphs
+          </a>
+        </div>
+      </div>
+    </div>
+</nav>
+
+      </div>
+    </div>
+
+<div class="container new-discussion-timeline experiment-repo-nav">
+  <div class="repository-content">
+
+    
+  <a href="/vt-middleware/cryptacular/blob/c26911e3cd28497ce9daa3ce682e09cb2d1d8688/NOTICE" class="d-none js-permalink-shortcut" data-hotkey="y">Permalink</a>
+
+  <!-- blob contrib key: blob_contributors:v21:f5054b9e46039e0ad937c69e6151b7d4 -->
+
+  <div class="file-navigation js-zeroclipboard-container">
+    
+<div class="select-menu branch-select-menu js-menu-container js-select-menu float-left">
+  <button class=" btn btn-sm select-menu-button js-menu-target css-truncate" data-hotkey="w"
+    
+    type="button" aria-label="Switch branches or tags" aria-expanded="false" aria-haspopup="true">
+      <i>Branch:</i>
+      <span class="js-select-button css-truncate-target">master</span>
+  </button>
+
+  <div class="select-menu-modal-holder js-menu-content js-navigation-container" data-pjax>
+
+    <div class="select-menu-modal">
+      <div class="select-menu-header">
+        <svg aria-label="Close" class="octicon octicon-x js-menu-close" height="16" role="img" version="1.1" viewBox="0 0 12 16" width="12"><path fill-rule="evenodd" d="M7.48 8l3.75 3.75-1.48 1.48L6 9.48l-3.75 3.75-1.48-1.48L4.52 8 .77 4.25l1.48-1.48L6 6.52l3.75-3.75 1.48 1.48z"/></svg>
+        <span class="select-menu-title">Switch branches/tags</span>
+      </div>
+
+      <div class="select-menu-filters">
+        <div class="select-menu-text-filter">
+          <input type="text" aria-label="Filter branches/tags" id="context-commitish-filter-field" class="form-control js-filterable-field js-navigation-enable" placeholder="Filter branches/tags">
+        </div>
+        <div class="select-menu-tabs">
+          <ul>
+            <li class="select-menu-tab">
+              <a href="#" data-tab-filter="branches" data-filter-placeholder="Filter branches/tags" class="js-select-menu-tab" role="tab">Branches</a>
+            </li>
+            <li class="select-menu-tab">
+              <a href="#" data-tab-filter="tags" data-filter-placeholder="Find a tag…" class="js-select-menu-tab" role="tab">Tags</a>
+            </li>
+          </ul>
+        </div>
+      </div>
+
+      <div class="select-menu-list select-menu-tab-bucket js-select-menu-tab-bucket" data-tab-filter="branches" role="menu">
+
+        <div data-filterable-for="context-commitish-filter-field" data-filterable-type="substring">
+
+
+            <a class="select-menu-item js-navigation-item js-navigation-open "
+               href="/vt-middleware/cryptacular/blob/ISSUE-31+32/NOTICE"
+               data-name="ISSUE-31+32"
+               data-skip-pjax="true"
+               rel="nofollow">
+              <svg aria-hidden="true" class="octicon octicon-check select-menu-item-icon" height="16" version="1.1" viewBox="0 0 12 16" width="12"><path fill-rule="evenodd" d="M12 5l-8 8-4-4 1.5-1.5L4 10l6.5-6.5z"/></svg>
+              <span class="select-menu-item-text css-truncate-target js-select-menu-filter-text">
+                ISSUE-31+32
+              </span>
+            </a>
+            <a class="select-menu-item js-navigation-item js-navigation-open "
+               href="/vt-middleware/cryptacular/blob/gh-pages/NOTICE"
+               data-name="gh-pages"
+               data-skip-pjax="true"
+               rel="nofollow">
+              <svg aria-hidden="true" class="octicon octicon-check select-menu-item-icon" height="16" version="1.1" viewBox="0 0 12 16" width="12"><path fill-rule="evenodd" d="M12 5l-8 8-4-4 1.5-1.5L4 10l6.5-6.5z"/></svg>
+              <span class="select-menu-item-text css-truncate-target js-select-menu-filter-text">
+                gh-pages
+              </span>
+            </a>
+            <a class="select-menu-item js-navigation-item js-navigation-open selected"
+               href="/vt-middleware/cryptacular/blob/master/NOTICE"
+               data-name="master"
+               data-skip-pjax="true"
+               rel="nofollow">
+              <svg aria-hidden="true" class="octicon octicon-check select-menu-item-icon" height="16" version="1.1" viewBox="0 0 12 16" width="12"><path fill-rule="evenodd" d="M12 5l-8 8-4-4 1.5-1.5L4 10l6.5-6.5z"/></svg>
+              <span class="select-menu-item-text css-truncate-target js-select-menu-filter-text">
+                master
+              </span>
+            </a>
+            <a class="select-menu-item js-navigation-item js-navigation-open "
+               href="/vt-middleware/cryptacular/blob/v1.1/NOTICE"
+               data-name="v1.1"
+               data-skip-pjax="true"
+               rel="nofollow">
+              <svg aria-hidden="true" class="octicon octicon-check select-menu-item-icon" height="16" version="1.1" viewBox="0 0 12 16" width="12"><path fill-rule="evenodd" d="M12 5l-8 8-4-4 1.5-1.5L4 10l6.5-6.5z"/></svg>
+              <span class="select-menu-item-text css-truncate-target js-select-menu-filter-text">
+                v1.1
+              </span>
+            </a>
+        </div>
+
+          <div class="select-menu-no-results">Nothing to show</div>
+      </div>
+
+      <div class="select-menu-list select-menu-tab-bucket js-select-menu-tab-bucket" data-tab-filter="tags">
+        <div data-filterable-for="context-commitish-filter-field" data-filterable-type="substring">
+
+
+            <a class="select-menu-item js-navigation-item js-navigation-open "
+              href="/vt-middleware/cryptacular/tree/v1.2.1/NOTICE"
+              data-name="v1.2.1"
+              data-skip-pjax="true"
+              rel="nofollow">
+              <svg aria-hidden="true" class="octicon octicon-check select-menu-item-icon" height="16" version="1.1" viewBox="0 0 12 16" width="12"><path fill-rule="evenodd" d="M12 5l-8 8-4-4 1.5-1.5L4 10l6.5-6.5z"/></svg>
+              <span class="select-menu-item-text css-truncate-target" title="v1.2.1">
+                v1.2.1
+              </span>
+            </a>
+            <a class="select-menu-item js-navigation-item js-navigation-open "
+              href="/vt-middleware/cryptacular/tree/v1.2.0/NOTICE"
+              data-name="v1.2.0"
+              data-skip-pjax="true"
+              rel="nofollow">
+              <svg aria-hidden="true" class="octicon octicon-check select-menu-item-icon" height="16" version="1.1" viewBox="0 0 12 16" width="12"><path fill-rule="evenodd" d="M12 5l-8 8-4-4 1.5-1.5L4 10l6.5-6.5z"/></svg>
+              <span class="select-menu-item-text css-truncate-target" title="v1.2.0">
+                v1.2.0
+              </span>
+            </a>
+            <a class="select-menu-item js-navigation-item js-navigation-open "
+              href="/vt-middleware/cryptacular/tree/v1.1.2/NOTICE"
+              data-name="v1.1.2"
+              data-skip-pjax="true"
+              rel="nofollow">
+              <svg aria-hidden="true" class="octicon octicon-check select-menu-item-icon" height="16" version="1.1" viewBox="0 0 12 16" width="12"><path fill-rule="evenodd" d="M12 5l-8 8-4-4 1.5-1.5L4 10l6.5-6.5z"/></svg>
+              <span class="select-menu-item-text css-truncate-target" title="v1.1.2">
+                v1.1.2
+              </span>
+            </a>
+            <a class="select-menu-item js-navigation-item js-navigation-open "
+              href="/vt-middleware/cryptacular/tree/v1.1.1/NOTICE"
+              data-name="v1.1.1"
+              data-skip-pjax="true"
+              rel="nofollow">
+              <svg aria-hidden="true" class="octicon octicon-check select-menu-item-icon" height="16" version="1.1" viewBox="0 0 12 16" width="12"><path fill-rule="evenodd" d="M12 5l-8 8-4-4 1.5-1.5L4 10l6.5-6.5z"/></svg>
+              <span class="select-menu-item-text css-truncate-target" title="v1.1.1">
+                v1.1.1
+              </span>
+            </a>
+            <a class="select-menu-item js-navigation-item js-navigation-open "
+              href="/vt-middleware/cryptacular/tree/v1.1.0/NOTICE"
+              data-name="v1.1.0"
+              data-skip-pjax="true"
+              rel="nofollow">
+              <svg aria-hidden="true" class="octicon octicon-check select-menu-item-icon" height="16" version="1.1" viewBox="0 0 12 16" width="12"><path fill-rule="evenodd" d="M12 5l-8 8-4-4 1.5-1.5L4 10l6.5-6.5z"/></svg>
+              <span class="select-menu-item-text css-truncate-target" title="v1.1.0">
+                v1.1.0
+              </span>
+            </a>
+            <a class="select-menu-item js-navigation-item js-navigation-open "
+              href="/vt-middleware/cryptacular/tree/v1.0/NOTICE"
+              data-name="v1.0"
+              data-skip-pjax="true"
+              rel="nofollow">
+              <svg aria-hidden="true" class="octicon octicon-check select-menu-item-icon" height="16" version="1.1" viewBox="0 0 12 16" width="12"><path fill-rule="evenodd" d="M12 5l-8 8-4-4 1.5-1.5L4 10l6.5-6.5z"/></svg>
+              <span class="select-menu-item-text css-truncate-target" title="v1.0">
+                v1.0
+              </span>
+            </a>
+            <a class="select-menu-item js-navigation-item js-navigation-open "
+              href="/vt-middleware/cryptacular/tree/v1.0-RC6/NOTICE"
+              data-name="v1.0-RC6"
+              data-skip-pjax="true"
+              rel="nofollow">
+              <svg aria-hidden="true" class="octicon octicon-check select-menu-item-icon" height="16" version="1.1" viewBox="0 0 12 16" width="12"><path fill-rule="evenodd" d="M12 5l-8 8-4-4 1.5-1.5L4 10l6.5-6.5z"/></svg>
+              <span class="select-menu-item-text css-truncate-target" title="v1.0-RC6">
+                v1.0-RC6
+              </span>
+            </a>
+            <a class="select-menu-item js-navigation-item js-navigation-open "
+              href="/vt-middleware/cryptacular/tree/v1.0-RC4/NOTICE"
+              data-name="v1.0-RC4"
+              data-skip-pjax="true"
+              rel="nofollow">
+              <svg aria-hidden="true" class="octicon octicon-check select-menu-item-icon" height="16" version="1.1" viewBox="0 0 12 16" width="12"><path fill-rule="evenodd" d="M12 5l-8 8-4-4 1.5-1.5L4 10l6.5-6.5z"/></svg>
+              <span class="select-menu-item-text css-truncate-target" title="v1.0-RC4">
+                v1.0-RC4
+              </span>
+            </a>
+            <a class="select-menu-item js-navigation-item js-navigation-open "
+              href="/vt-middleware/cryptacular/tree/v1.0-RC3/NOTICE"
+              data-name="v1.0-RC3"
+              data-skip-pjax="true"
+              rel="nofollow">
+              <svg aria-hidden="true" class="octicon octicon-check select-menu-item-icon" height="16" version="1.1" viewBox="0 0 12 16" width="12"><path fill-rule="evenodd" d="M12 5l-8 8-4-4 1.5-1.5L4 10l6.5-6.5z"/></svg>
+              <span class="select-menu-item-text css-truncate-target" title="v1.0-RC3">
+                v1.0-RC3
+              </span>
+            </a>
+            <a class="select-menu-item js-navigation-item js-navigation-open "
+              href="/vt-middleware/cryptacular/tree/v1.0-RC2/NOTICE"
+              data-name="v1.0-RC2"
+              data-skip-pjax="true"
+              rel="nofollow">
+              <svg aria-hidden="true" class="octicon octicon-check select-menu-item-icon" height="16" version="1.1" viewBox="0 0 12 16" width="12"><path fill-rule="evenodd" d="M12 5l-8 8-4-4 1.5-1.5L4 10l6.5-6.5z"/></svg>
+              <span class="select-menu-item-text css-truncate-target" title="v1.0-RC2">
+                v1.0-RC2
+              </span>
+            </a>
+            <a class="select-menu-item js-navigation-item js-navigation-open "
+              href="/vt-middleware/cryptacular/tree/v1.0-RC1/NOTICE"
+              data-name="v1.0-RC1"
+              data-skip-pjax="true"
+              rel="nofollow">
+              <svg aria-hidden="true" class="octicon octicon-check select-menu-item-icon" height="16" version="1.1" viewBox="0 0 12 16" width="12"><path fill-rule="evenodd" d="M12 5l-8 8-4-4 1.5-1.5L4 10l6.5-6.5z"/></svg>
+              <span class="select-menu-item-text css-truncate-target" title="v1.0-RC1">
+                v1.0-RC1
+              </span>
+            </a>
+        </div>
+
+        <div class="select-menu-no-results">Nothing to show</div>
+      </div>
+
+    </div>
+  </div>
+</div>
+
+    <div class="BtnGroup float-right">
+      <a href="/vt-middleware/cryptacular/find/master"
+            class="js-pjax-capture-input btn btn-sm BtnGroup-item"
+            data-pjax
+            data-hotkey="t">
+        Find file
+      </a>
+      <button aria-label="Copy file path to clipboard" class="js-zeroclipboard btn btn-sm BtnGroup-item tooltipped tooltipped-s" data-copied-hint="Copied!" type="button">Copy path</button>
+    </div>
+    <div class="breadcrumb js-zeroclipboard-target">
+      <span class="repo-root js-repo-root"><span class="js-path-segment"><a href="/vt-middleware/cryptacular"><span>cryptacular</span></a></span></span><span class="separator">/</span><strong class="final-path">NOTICE</strong>
+    </div>
+  </div>
+
+
+  
+  <div class="commit-tease">
+      <span class="float-right">
+        <a class="commit-tease-sha" href="/vt-middleware/cryptacular/commit/6dd6f199ac3ecc3b4c5aef9e04be3bbe265a30a1" data-pjax>
+          6dd6f19
+        </a>
+        <relative-time datetime="2017-07-06T22:28:36Z">Jul 7, 2017</relative-time>
+      </span>
+      <div>
+        <img alt="@dfish3r" class="avatar" height="20" src="https://avatars6.githubusercontent.com/u/1051499?v=4&amp;s=40" width="20" />
+        <a href="/dfish3r" class="user-mention" rel="contributor">dfish3r</a>
+          <a href="/vt-middleware/cryptacular/commit/6dd6f199ac3ecc3b4c5aef9e04be3bbe265a30a1" class="message" data-pjax="true" title="Update year in notice.">Update year in notice.</a>
+      </div>
+
+    <div class="commit-tease-contributors">
+      <button type="button" class="btn-link muted-link contributors-toggle" data-facebox="#blob_contributors_box">
+        <strong>1</strong>
+         contributor
+      </button>
+      
+    </div>
+
+    <div id="blob_contributors_box" style="display:none">
+      <h2 class="facebox-header" data-facebox-id="facebox-header">Users who have contributed to this file</h2>
+      <ul class="facebox-user-list" data-facebox-id="facebox-description">
+          <li class="facebox-user-list-item">
+            <img alt="@dfish3r" height="24" src="https://avatars4.githubusercontent.com/u/1051499?v=4&amp;s=48" width="24" />
+            <a href="/dfish3r">dfish3r</a>
+          </li>
+      </ul>
+    </div>
+  </div>
+
+  <div class="file">
+    <div class="file-header">
+  <div class="file-actions">
+
+    <div class="BtnGroup">
+      <a href="/vt-middleware/cryptacular/raw/master/NOTICE" class="btn btn-sm BtnGroup-item" id="raw-url">Raw</a>
+        <a href="/vt-middleware/cryptacular/blame/master/NOTICE" class="btn btn-sm js-update-url-with-hash BtnGroup-item" data-hotkey="b">Blame</a>
+      <a href="/vt-middleware/cryptacular/commits/master/NOTICE" class="btn btn-sm BtnGroup-item" rel="nofollow">History</a>
+    </div>
+
+
+        <button type="button" class="btn-octicon disabled tooltipped tooltipped-nw"
+          aria-label="You must be signed in to make or propose changes">
+          <svg aria-hidden="true" class="octicon octicon-pencil" height="16" version="1.1" viewBox="0 0 14 16" width="14"><path fill-rule="evenodd" d="M0 12v3h3l8-8-3-3-8 8zm3 2H1v-2h1v1h1v1zm10.3-9.3L12 6 9 3l1.3-1.3a.996.996 0 0 1 1.41 0l1.59 1.59c.39.39.39 1.02 0 1.41z"/></svg>
+        </button>
+        <button type="button" class="btn-octicon btn-octicon-danger disabled tooltipped tooltipped-nw"
+          aria-label="You must be signed in to make or propose changes">
+          <svg aria-hidden="true" class="octicon octicon-trashcan" height="16" version="1.1" viewBox="0 0 12 16" width="12"><path fill-rule="evenodd" d="M11 2H9c0-.55-.45-1-1-1H5c-.55 0-1 .45-1 1H2c-.55 0-1 .45-1 1v1c0 .55.45 1 1 1v9c0 .55.45 1 1 1h7c.55 0 1-.45 1-1V5c.55 0 1-.45 1-1V3c0-.55-.45-1-1-1zm-1 12H3V5h1v8h1V5h1v8h1V5h1v8h1V5h1v9zm1-10H2V3h9v1z"/></svg>
+        </button>
+  </div>
+
+  <div class="file-info">
+      7 lines (5 sloc)
+      <span class="file-info-divider"></span>
+    165 Bytes
+  </div>
+</div>
+
+    
+
+  <div itemprop="text" class="blob-wrapper data type-text">
+      <table class="highlight tab-size js-file-line-container" data-tab-size="8">
+      <tr>
+        <td id="L1" class="blob-num js-line-number" data-line-number="1"></td>
+        <td id="LC1" class="blob-code blob-code-inner js-file-line">Cryptacular Java Library</td>
+      </tr>
+      <tr>
+        <td id="L2" class="blob-num js-line-number" data-line-number="2"></td>
+        <td id="LC2" class="blob-code blob-code-inner js-file-line">Copyright (C) 2003-2017 Virginia Tech.</td>
+      </tr>
+      <tr>
+        <td id="L3" class="blob-num js-line-number" data-line-number="3"></td>
+        <td id="LC3" class="blob-code blob-code-inner js-file-line">All rights reserved.</td>
+      </tr>
+      <tr>
+        <td id="L4" class="blob-num js-line-number" data-line-number="4"></td>
+        <td id="LC4" class="blob-code blob-code-inner js-file-line">
+</td>
+      </tr>
+      <tr>
+        <td id="L5" class="blob-num js-line-number" data-line-number="5"></td>
+        <td id="LC5" class="blob-code blob-code-inner js-file-line">This product includes software developed at</td>
+      </tr>
+      <tr>
+        <td id="L6" class="blob-num js-line-number" data-line-number="6"></td>
+        <td id="LC6" class="blob-code blob-code-inner js-file-line">Virginia Tech (http://www.vt.edu).</td>
+      </tr>
+</table>
+
+
+  </div>
+
+  </div>
+
+  <button type="button" data-facebox="#jump-to-line" data-facebox-class="linejump" data-hotkey="l" class="d-none">Jump to Line</button>
+  <div id="jump-to-line" style="display:none">
+    <!-- '"` --><!-- </textarea></xmp> --></option></form><form accept-charset="UTF-8" action="" class="js-jump-to-line-form" method="get"><div style="margin:0;padding:0;display:inline"><input name="utf8" type="hidden" value="&#x2713;" /></div>
+      <input class="form-control linejump-input js-jump-to-line-field" type="text" placeholder="Jump to line&hellip;" aria-label="Jump to line" autofocus>
+      <button type="submit" class="btn">Go</button>
+</form>  </div>
+
+  </div>
+  <div class="modal-backdrop js-touch-events"></div>
+</div>
+
+    </div>
+  </div>
+
+  </div>
+
+      
+<div class="container site-footer-container">
+  <div class="site-footer " role="contentinfo">
+    <ul class="site-footer-links float-right">
+        <li><a href="https://github.com/contact" data-ga-click="Footer, go to contact, text:contact">Contact GitHub</a></li>
+      <li><a href="https://developer.github.com" data-ga-click="Footer, go to api, text:api">API</a></li>
+      <li><a href="https://training.github.com" data-ga-click="Footer, go to training, text:training">Training</a></li>
+      <li><a href="https://shop.github.com" data-ga-click="Footer, go to shop, text:shop">Shop</a></li>
+        <li><a href="https://github.com/blog" data-ga-click="Footer, go to blog, text:blog">Blog</a></li>
+        <li><a href="https://github.com/about" data-ga-click="Footer, go to about, text:about">About</a></li>
+
+    </ul>
+
+    <a href="https://github.com" aria-label="Homepage" class="site-footer-mark" title="GitHub">
+      <svg aria-hidden="true" class="octicon octicon-mark-github" height="24" version="1.1" viewBox="0 0 16 16" width="24"><path fill-rule="evenodd" d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0 0 16 8c0-4.42-3.58-8-8-8z"/></svg>
+</a>
+    <ul class="site-footer-links">
+      <li>&copy; 2017 <span title="0.10938s from unicorn-2925809464-f2ltq">GitHub</span>, Inc.</li>
+        <li><a href="https://github.com/site/terms" data-ga-click="Footer, go to terms, text:terms">Terms</a></li>
+        <li><a href="https://github.com/site/privacy" data-ga-click="Footer, go to privacy, text:privacy">Privacy</a></li>
+        <li><a href="https://github.com/security" data-ga-click="Footer, go to security, text:security">Security</a></li>
+        <li><a href="https://status.github.com/" data-ga-click="Footer, go to status, text:status">Status</a></li>
+        <li><a href="https://help.github.com" data-ga-click="Footer, go to help, text:help">Help</a></li>
+    </ul>
+  </div>
+</div>
+
+
+
+  <div id="ajax-error-message" class="ajax-error-message flash flash-error">
+    <svg aria-hidden="true" class="octicon octicon-alert" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M8.865 1.52c-.18-.31-.51-.5-.87-.5s-.69.19-.87.5L.275 13.5c-.18.31-.18.69 0 1 .19.31.52.5.87.5h13.7c.36 0 .69-.19.86-.5.17-.31.18-.69.01-1L8.865 1.52zM8.995 13h-2v-2h2v2zm0-3h-2V6h2v4z"/></svg>
+    <button type="button" class="flash-close js-flash-close js-ajax-error-dismiss" aria-label="Dismiss error">
+      <svg aria-hidden="true" class="octicon octicon-x" height="16" version="1.1" viewBox="0 0 12 16" width="12"><path fill-rule="evenodd" d="M7.48 8l3.75 3.75-1.48 1.48L6 9.48l-3.75 3.75-1.48-1.48L4.52 8 .77 4.25l1.48-1.48L6 6.52l3.75-3.75 1.48 1.48z"/></svg>
+    </button>
+    You can't perform that action at this time.
+  </div>
+
+
+    <script crossorigin="anonymous" src="https://assets-cdn.github.com/assets/compat-91f98c37fc84eac24836eec2567e9912742094369a04c4eba6e3cd1fa18902d9.js"></script>
+    <script crossorigin="anonymous" src="https://assets-cdn.github.com/assets/frameworks-f84bb87b149685d1e6c6f057ee324f2cd496e677f5a359a8b5db853313bb83e6.js"></script>
+    
+    <script async="async" crossorigin="anonymous" src="https://assets-cdn.github.com/assets/github-13fa3aa50ac8f9fa9a7d198f0cd13b0905775d39446ad076d17d8f74a998438a.js"></script>
+    
+    
+    
+    
+  <div class="js-stale-session-flash stale-session-flash flash flash-warn flash-banner d-none">
+    <svg aria-hidden="true" class="octicon octicon-alert" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M8.865 1.52c-.18-.31-.51-.5-.87-.5s-.69.19-.87.5L.275 13.5c-.18.31-.18.69 0 1 .19.31.52.5.87.5h13.7c.36 0 .69-.19.86-.5.17-.31.18-.69.01-1L8.865 1.52zM8.995 13h-2v-2h2v2zm0-3h-2V6h2v4z"/></svg>
+    <span class="signed-in-tab-flash">You signed in with another tab or window. <a href="">Reload</a> to refresh your session.</span>
+    <span class="signed-out-tab-flash">You signed out in another tab or window. <a href="">Reload</a> to refresh your session.</span>
+  </div>
+  <div class="facebox" id="facebox" style="display:none;">
+  <div class="facebox-popup">
+    <div class="facebox-content" role="dialog" aria-labelledby="facebox-header" aria-describedby="facebox-description">
+    </div>
+    <button type="button" class="facebox-close js-facebox-close" aria-label="Close modal">
+      <svg aria-hidden="true" class="octicon octicon-x" height="16" version="1.1" viewBox="0 0 12 16" width="12"><path fill-rule="evenodd" d="M7.48 8l3.75 3.75-1.48 1.48L6 9.48l-3.75 3.75-1.48-1.48L4.52 8 .77 4.25l1.48-1.48L6 6.52l3.75-3.75 1.48 1.48z"/></svg>
+    </button>
+  </div>
+</div>
+
+
+  </body>
+</html>
+

x-pack/plugin/identity-provider/licenses/guava-19.0.jar.sha1

@@ -0,0 +1 @@
+6ce200f6b23222af3d8abb6b6459e6c44f4bb0e9

x-pack/plugin/identity-provider/licenses/guava-LICENSE.txt

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

x-pack/plugin/identity-provider/licenses/httpclient-LICENSE.txt

@@ -0,0 +1,558 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+=========================================================================
+
+This project includes Public Suffix List copied from
+<https://publicsuffix.org/list/effective_tld_names.dat>
+licensed under the terms of the Mozilla Public License, v. 2.0
+
+Full license text: <http://mozilla.org/MPL/2.0/>
+
+Mozilla Public License Version 2.0
+==================================
+
+1. Definitions
+--------------
+
+1.1. "Contributor"
+    means each individual or legal entity that creates, contributes to
+    the creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+    means the combination of the Contributions of others (if any) used
+    by a Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+    means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+    means Source Code Form to which the initial Contributor has attached
+    the notice in Exhibit A, the Executable Form of such Source Code
+    Form, and Modifications of such Source Code Form, in each case
+    including portions thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+    means
+
+    (a) that the initial Contributor has attached the notice described
+        in Exhibit B to the Covered Software; or
+
+    (b) that the Covered Software was made available under the terms of
+        version 1.1 or earlier of the License, but not also under the
+        terms of a Secondary License.
+
+1.6. "Executable Form"
+    means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+    means a work that combines Covered Software with other material, in
+    a separate file or files, that is not Covered Software.
+
+1.8. "License"
+    means this document.
+
+1.9. "Licensable"
+    means having the right to grant, to the maximum extent possible,
+    whether at the time of the initial grant or subsequently, any and
+    all of the rights conveyed by this License.
+
+1.10. "Modifications"
+    means any of the following:
+
+    (a) any file in Source Code Form that results from an addition to,
+        deletion from, or modification of the contents of Covered
+        Software; or
+
+    (b) any new file in Source Code Form that contains any Covered
+        Software.
+
+1.11. "Patent Claims" of a Contributor
+    means any patent claim(s), including without limitation, method,
+    process, and apparatus claims, in any patent Licensable by such
+    Contributor that would be infringed, but for the grant of the
+    License, by the making, using, selling, offering for sale, having
+    made, import, or transfer of either its Contributions or its
+    Contributor Version.
+
+1.12. "Secondary License"
+    means either the GNU General Public License, Version 2.0, the GNU
+    Lesser General Public License, Version 2.1, the GNU Affero General
+    Public License, Version 3.0, or any later versions of those
+    licenses.
+
+1.13. "Source Code Form"
+    means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+    means an individual or a legal entity exercising rights under this
+    License. For legal entities, "You" includes any entity that
+    controls, is controlled by, or is under common control with You. For
+    purposes of this definition, "control" means (a) the power, direct
+    or indirect, to cause the direction or management of such entity,
+    whether by contract or otherwise, or (b) ownership of more than
+    fifty percent (50%) of the outstanding shares or beneficial
+    ownership of such entity.
+
+2. License Grants and Conditions
+--------------------------------
+
+2.1. Grants
+
+Each Contributor hereby grants You a world-wide, royalty-free,
+non-exclusive license:
+
+(a) under intellectual property rights (other than patent or trademark)
+    Licensable by such Contributor to use, reproduce, make available,
+    modify, display, perform, distribute, and otherwise exploit its
+    Contributions, either on an unmodified basis, with Modifications, or
+    as part of a Larger Work; and
+
+(b) under Patent Claims of such Contributor to make, use, sell, offer
+    for sale, have made, import, and otherwise transfer either its
+    Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+The licenses granted in Section 2.1 with respect to any Contribution
+become effective for each Contribution on the date the Contributor first
+distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+The licenses granted in this Section 2 are the only rights granted under
+this License. No additional rights or licenses will be implied from the
+distribution or licensing of Covered Software under this License.
+Notwithstanding Section 2.1(b) above, no patent license is granted by a
+Contributor:
+
+(a) for any code that a Contributor has removed from Covered Software;
+    or
+
+(b) for infringements caused by: (i) Your and any other third party's
+    modifications of Covered Software, or (ii) the combination of its
+    Contributions with other software (except as part of its Contributor
+    Version); or
+
+(c) under Patent Claims infringed by Covered Software in the absence of
+    its Contributions.
+
+This License does not grant any rights in the trademarks, service marks,
+or logos of any Contributor (except as may be necessary to comply with
+the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+No Contributor makes additional grants as a result of Your choice to
+distribute the Covered Software under a subsequent version of this
+License (see Section 10.2) or under the terms of a Secondary License (if
+permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+Each Contributor represents that the Contributor believes its
+Contributions are its original creation(s) or it has sufficient rights
+to grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+This License is not intended to limit any rights You have under
+applicable copyright doctrines of fair use, fair dealing, or other
+equivalents.
+
+2.7. Conditions
+
+Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
+in Section 2.1.
+
+3. Responsibilities
+-------------------
+
+3.1. Distribution of Source Form
+
+All distribution of Covered Software in Source Code Form, including any
+Modifications that You create or to which You contribute, must be under
+the terms of this License. You must inform recipients that the Source
+Code Form of the Covered Software is governed by the terms of this
+License, and how they can obtain a copy of this License. You may not
+attempt to alter or restrict the recipients' rights in the Source Code
+Form.
+
+3.2. Distribution of Executable Form
+
+If You distribute Covered Software in Executable Form then:
+
+(a) such Covered Software must also be made available in Source Code
+    Form, as described in Section 3.1, and You must inform recipients of
+    the Executable Form how they can obtain a copy of such Source Code
+    Form by reasonable means in a timely manner, at a charge no more
+    than the cost of distribution to the recipient; and
+
+(b) You may distribute such Executable Form under the terms of this
+    License, or sublicense it under different terms, provided that the
+    license for the Executable Form does not attempt to limit or alter
+    the recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+You may create and distribute a Larger Work under terms of Your choice,
+provided that You also comply with the requirements of this License for
+the Covered Software. If the Larger Work is a combination of Covered
+Software with a work governed by one or more Secondary Licenses, and the
+Covered Software is not Incompatible With Secondary Licenses, this
+License permits You to additionally distribute such Covered Software
+under the terms of such Secondary License(s), so that the recipient of
+the Larger Work may, at their option, further distribute the Covered
+Software under the terms of either this License or such Secondary
+License(s).
+
+3.4. Notices
+
+You may not remove or alter the substance of any license notices
+(including copyright notices, patent notices, disclaimers of warranty,
+or limitations of liability) contained within the Source Code Form of
+the Covered Software, except that You may alter any license notices to
+the extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+You may choose to offer, and to charge a fee for, warranty, support,
+indemnity or liability obligations to one or more recipients of Covered
+Software. However, You may do so only on Your own behalf, and not on
+behalf of any Contributor. You must make it absolutely clear that any
+such warranty, support, indemnity, or liability obligation is offered by
+You alone, and You hereby agree to indemnify every Contributor for any
+liability incurred by such Contributor as a result of warranty, support,
+indemnity or liability terms You offer. You may include additional
+disclaimers of warranty and limitations of liability specific to any
+jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+---------------------------------------------------
+
+If it is impossible for You to comply with any of the terms of this
+License with respect to some or all of the Covered Software due to
+statute, judicial order, or regulation then You must: (a) comply with
+the terms of this License to the maximum extent possible; and (b)
+describe the limitations and the code they affect. Such description must
+be placed in a text file included with all distributions of the Covered
+Software under this License. Except to the extent prohibited by statute
+or regulation, such description must be sufficiently detailed for a
+recipient of ordinary skill to be able to understand it.
+
+5. Termination
+--------------
+
+5.1. The rights granted under this License will terminate automatically
+if You fail to comply with any of its terms. However, if You become
+compliant, then the rights granted under this License from a particular
+Contributor are reinstated (a) provisionally, unless and until such
+Contributor explicitly and finally terminates Your grants, and (b) on an
+ongoing basis, if such Contributor fails to notify You of the
+non-compliance by some reasonable means prior to 60 days after You have
+come back into compliance. Moreover, Your grants from a particular
+Contributor are reinstated on an ongoing basis if such Contributor
+notifies You of the non-compliance by some reasonable means, this is the
+first time You have received notice of non-compliance with this License
+from such Contributor, and You become compliant prior to 30 days after
+Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+infringement claim (excluding declaratory judgment actions,
+counter-claims, and cross-claims) alleging that a Contributor Version
+directly or indirectly infringes any patent, then the rights granted to
+You by any and all Contributors for the Covered Software under Section
+2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all
+end user license agreements (excluding distributors and resellers) which
+have been validly granted by You or Your distributors under this License
+prior to termination shall survive termination.
+
+************************************************************************
+*                                                                      *
+*  6. Disclaimer of Warranty                                           *
+*  -------------------------                                           *
+*                                                                      *
+*  Covered Software is provided under this License on an "as is"       *
+*  basis, without warranty of any kind, either expressed, implied, or  *
+*  statutory, including, without limitation, warranties that the       *
+*  Covered Software is free of defects, merchantable, fit for a        *
+*  particular purpose or non-infringing. The entire risk as to the     *
+*  quality and performance of the Covered Software is with You.        *
+*  Should any Covered Software prove defective in any respect, You     *
+*  (not any Contributor) assume the cost of any necessary servicing,   *
+*  repair, or correction. This disclaimer of warranty constitutes an   *
+*  essential part of this License. No use of any Covered Software is   *
+*  authorized under this License except under this disclaimer.         *
+*                                                                      *
+************************************************************************
+
+************************************************************************
+*                                                                      *
+*  7. Limitation of Liability                                          *
+*  --------------------------                                          *
+*                                                                      *
+*  Under no circumstances and under no legal theory, whether tort      *
+*  (including negligence), contract, or otherwise, shall any           *
+*  Contributor, or anyone who distributes Covered Software as          *
+*  permitted above, be liable to You for any direct, indirect,         *
+*  special, incidental, or consequential damages of any character      *
+*  including, without limitation, damages for lost profits, loss of    *
+*  goodwill, work stoppage, computer failure or malfunction, or any    *
+*  and all other commercial damages or losses, even if such party      *
+*  shall have been informed of the possibility of such damages. This   *
+*  limitation of liability shall not apply to liability for death or   *
+*  personal injury resulting from such party's negligence to the       *
+*  extent applicable law prohibits such limitation. Some               *
+*  jurisdictions do not allow the exclusion or limitation of           *
+*  incidental or consequential damages, so this exclusion and          *
+*  limitation may not apply to You.                                    *
+*                                                                      *
+************************************************************************
+
+8. Litigation
+-------------
+
+Any litigation relating to this License may be brought only in the
+courts of a jurisdiction where the defendant maintains its principal
+place of business and such litigation shall be governed by laws of that
+jurisdiction, without reference to its conflict-of-law provisions.
+Nothing in this Section shall prevent a party's ability to bring
+cross-claims or counter-claims.
+
+9. Miscellaneous
+----------------
+
+This License represents the complete agreement concerning the subject
+matter hereof. If any provision of this License is held to be
+unenforceable, such provision shall be reformed only to the extent
+necessary to make it enforceable. Any law or regulation which provides
+that the language of a contract shall be construed against the drafter
+shall not be used to construe this License against a Contributor.
+
+10. Versions of the License
+---------------------------
+
+10.1. New Versions
+
+Mozilla Foundation is the license steward. Except as provided in Section
+10.3, no one other than the license steward has the right to modify or
+publish new versions of this License. Each version will be given a
+distinguishing version number.
+
+10.2. Effect of New Versions
+
+You may distribute the Covered Software under the terms of the version
+of the License under which You originally received the Covered Software,
+or under the terms of any subsequent version published by the license
+steward.
+
+10.3. Modified Versions
+
+If you create software not governed by this License, and you want to
+create a new license for such software, you may create and use a
+modified version of this License if you rename the license and remove
+any references to the name of the license steward (except to note that
+such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+Licenses
+
+If You choose to distribute Source Code Form that is Incompatible With
+Secondary Licenses under the terms of this version of the License, the
+notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+-------------------------------------------
+
+  This Source Code Form is subject to the terms of the Mozilla Public
+  License, v. 2.0. If a copy of the MPL was not distributed with this
+  file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular
+file, then You may include the notice in a location (such as a LICENSE
+file in a relevant directory) where a recipient would be likely to look
+for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+---------------------------------------------------------
+
+  This Source Code Form is "Incompatible With Secondary Licenses", as
+  defined by the Mozilla Public License, v. 2.0.

x-pack/plugin/identity-provider/licenses/httpclient-NOTICE.txt

@@ -0,0 +1,6 @@
+Apache HttpComponents Client
+Copyright 1999-2016 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (http://www.apache.org/).
+

x-pack/plugin/identity-provider/licenses/httpclient-cache-4.5.10.jar.sha1

@@ -0,0 +1 @@
+b195778247a21e980cb9f80c41364dc0c38feaef

x-pack/plugin/identity-provider/licenses/java-support-7.5.1.jar.sha1

@@ -0,0 +1 @@
+c3fecaa141e8f0fff8a14e6800aefa8155c9b3e8

x-pack/plugin/identity-provider/licenses/log4j-slf4j-impl-2.11.1.jar.sha1

@@ -0,0 +1 @@
+4b41b53a3a2d299ce381a69d165381ca19f62912

x-pack/plugin/identity-provider/licenses/log4j-slf4j-impl-LICENSE.txt

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

x-pack/plugin/identity-provider/licenses/log4j-slf4j-impl-NOTICE.txt

@@ -0,0 +1,8 @@
+
+Apache Log4j SLF4J Binding
+Copyright 1999-2017 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (http://www.apache.org/).
+
+

x-pack/plugin/identity-provider/licenses/metrics-core-3.2.2.jar.sha1

@@ -0,0 +1 @@
+cd9886f498ee2ab2d994f0c779e5553b2c450416

x-pack/plugin/identity-provider/licenses/metrics-core-LICENSE.txt

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

x-pack/plugin/identity-provider/licenses/metrics-core-NOTICE.txt

@@ -0,0 +1,4 @@
+Dropwizard
+Copyright 2010-2013 Coda Hale and Yammer, Inc., 2014-2016 Dropwizard Team
+
+This product includes software developed by Coda Hale and Yammer, Inc.

x-pack/plugin/identity-provider/licenses/opensaml-core-3.4.5.jar.sha1

@@ -0,0 +1 @@
+0958fae127de9e8b0296e6f089c7451b6d5f0846

x-pack/plugin/identity-provider/licenses/opensaml-messaging-api-3.4.5.jar.sha1

@@ -0,0 +1 @@
+e3ec93dfbf90c451e9f7fb34a3e33a6ac60edd31

x-pack/plugin/identity-provider/licenses/opensaml-messaging-impl-3.4.5.jar.sha1

@@ -0,0 +1 @@
+beaca9bd69ad861dbb55f1694853a02cb6988ae7

x-pack/plugin/identity-provider/licenses/opensaml-profile-api-3.4.5.jar.sha1

@@ -0,0 +1 @@
+bb0a1f97d38342a5715bad628ee24000b08e821e

x-pack/plugin/identity-provider/licenses/opensaml-profile-impl-3.4.5.jar.sha1

@@ -0,0 +1 @@
+6cb4595c7a988d964f6a2d55dcac754b0c68904e

x-pack/plugin/identity-provider/licenses/opensaml-saml-api-3.4.5.jar.sha1

@@ -0,0 +1 @@
+bef43d21b2d878baceae291af4a0ad3449c7d7ec

x-pack/plugin/identity-provider/licenses/opensaml-saml-impl-3.4.5.jar.sha1

@@ -0,0 +1 @@
+ecf4a9552575d38cffd4dc56d95e7564b7dccfc1

x-pack/plugin/identity-provider/licenses/opensaml-security-api-3.4.5.jar.sha1

@@ -0,0 +1 @@
+15cbb232ae6665edc5df5f260e551e69fdb362e5

x-pack/plugin/identity-provider/licenses/opensaml-security-impl-3.4.5.jar.sha1

@@ -0,0 +1 @@
+b2bc1aa5b0f400aa50499f3783b10e9f7c216a47

x-pack/plugin/identity-provider/licenses/opensaml-soap-api-3.4.5.jar.sha1

@@ -0,0 +1 @@
+c497df002980c6e482ce7b828924bb24f60f99f7

x-pack/plugin/identity-provider/licenses/opensaml-soap-impl-3.4.5.jar.sha1

@@ -0,0 +1 @@
+30ed8d37259e840df5b3fd8daf7b654129a9190c

x-pack/plugin/identity-provider/licenses/opensaml-storage-api-3.4.5.jar.sha1

@@ -0,0 +1 @@
+a984671fd04e50da03f68003d2b062578e63ec86

x-pack/plugin/identity-provider/licenses/opensaml-storage-impl-3.4.5.jar.sha1

@@ -0,0 +1 @@
+a4b828fe1a9d64953ecdd8a9e00ff31b63ad6ef0

x-pack/plugin/identity-provider/licenses/opensaml-xmlsec-api-3.4.5.jar.sha1

@@ -0,0 +1 @@
+a1b10f97deca1e3405f95db5b39697c0d46f5e0d

x-pack/plugin/identity-provider/licenses/opensaml-xmlsec-impl-3.4.5.jar.sha1

@@ -0,0 +1 @@
+d46cb9854a1ff85bea34ece7077bc32dbc2f10da

x-pack/plugin/identity-provider/licenses/shibboleth-LICENSE.txt

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

x-pack/plugin/identity-provider/licenses/slf4j-api-1.6.2.jar.sha1

@@ -0,0 +1 @@
+8619e95939167fb37245b5670135e4feb0ec7d50

x-pack/plugin/identity-provider/licenses/slf4j-api-LICENSE.txt

@@ -0,0 +1,21 @@
+ Copyright (c) 2004-2017 QOS.ch
+ All rights reserved.
+
+ Permission is hereby granted, free  of charge, to any person obtaining
+ a  copy  of this  software  and  associated  documentation files  (the
+ "Software"), to  deal in  the Software without  restriction, including
+ without limitation  the rights to  use, copy, modify,  merge, publish,
+ distribute,  sublicense, and/or sell  copies of  the Software,  and to
+ permit persons to whom the Software  is furnished to do so, subject to
+ the following conditions:
+ 
+ The  above  copyright  notice  and  this permission  notice  shall  be
+ included in all copies or substantial portions of the Software.
+ 
+ THE  SOFTWARE IS  PROVIDED  "AS  IS", WITHOUT  WARRANTY  OF ANY  KIND,
+ EXPRESS OR  IMPLIED, INCLUDING  BUT NOT LIMITED  TO THE  WARRANTIES OF
+ MERCHANTABILITY,    FITNESS    FOR    A   PARTICULAR    PURPOSE    AND
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ OF CONTRACT, TORT OR OTHERWISE,  ARISING FROM, OUT OF OR IN CONNECTION
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

x-pack/plugin/identity-provider/licenses/xmlsec-2.1.4.jar.sha1

@@ -0,0 +1 @@
+cb43326f02e3e77526c24269c8b5d3cc3f7f6653

x-pack/plugin/identity-provider/licenses/xmlsec-LICENSE.txt

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

x-pack/plugin/identity-provider/licenses/xmlsec-NOTICE.txt

@@ -0,0 +1,9 @@
+
+Apache XML Security for Java
+Copyright 2000-2016 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (http://www.apache.org/).
+
+
+

x-pack/plugin/identity-provider/qa/idp-rest-tests/build.gradle

@@ -0,0 +1,33 @@
+apply plugin: 'elasticsearch.testclusters'
+apply plugin: 'elasticsearch.standalone-rest-test'
+apply plugin: 'elasticsearch.rest-test'
+
+dependencies {
+  testCompile project(path: xpackModule('core'), configuration: 'default')
+  testCompile project(path: xpackModule('identity-provider'), configuration: 'default')
+  testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')
+}
+
+testClusters.integTest {
+  testDistribution = 'DEFAULT'
+
+  setting 'xpack.license.self_generated.type', 'trial'
+
+  setting 'xpack.idp.enabled', 'true'
+  setting 'xpack.idp.entity_id', 'https://idp.test.es.elasticsearch.org/'
+  setting 'xpack.idp.sso_endpoint.redirect', 'http://idp.test.es.elasticsearch.org/test/saml/redirect'
+  setting 'xpack.idp.signing.certificate', 'idp-sign.crt'
+  setting 'xpack.idp.signing.key', 'idp-sign.key'
+  setting 'xpack.idp.privileges.application', 'elastic-cloud'
+
+  setting 'xpack.security.enabled', 'true'
+  setting 'xpack.security.authc.token.enabled', 'true'
+  setting 'xpack.security.authc.api_key.enabled', 'true'
+
+  extraConfigFile 'roles.yml', file('src/test/resources/roles.yml')
+  extraConfigFile 'idp-sign.crt', file('src/test/resources/idp-sign.crt')
+  extraConfigFile 'idp-sign.key', file('src/test/resources/idp-sign.key')
+
+  user username: "admin_user", password: "admin-password"
+  user username: "idp_user", password: "idp-password", role: "idp_role"
+}

x-pack/plugin/identity-provider/qa/idp-rest-tests/src/test/java/org/elasticsearch/xpack/idp/IdpRestTestCase.java

@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.idp;
+
+import org.elasticsearch.common.settings.SecureString;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.util.concurrent.ThreadContext;
+import org.elasticsearch.test.rest.ESRestTestCase;
+
+import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
+
+public abstract class IdpRestTestCase extends ESRestTestCase {
+
+    @Override
+    protected Settings restAdminSettings() {
+        String token = basicAuthHeaderValue("admin_user", new SecureString("admin-password".toCharArray()));
+        return Settings.builder()
+            .put(ThreadContext.PREFIX + ".Authorization", token)
+            .build();
+    }
+
+    @Override
+    protected Settings restClientSettings() {
+        String token = basicAuthHeaderValue("idp_user", new SecureString("idp-password".toCharArray()));
+        return Settings.builder()
+            .put(ThreadContext.PREFIX + ".Authorization", token)
+            .build();
+    }
+}

x-pack/plugin/identity-provider/qa/idp-rest-tests/src/test/java/org/elasticsearch/xpack/idp/ManageServiceProviderRestIT.java

@@ -0,0 +1,138 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.idp;
+
+import org.elasticsearch.action.support.WriteRequest.RefreshPolicy;
+import org.elasticsearch.client.Request;
+import org.elasticsearch.client.Response;
+import org.elasticsearch.client.ResponseException;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.xcontent.ObjectPath;
+import org.elasticsearch.common.xcontent.json.JsonXContent;
+import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProviderIndex;
+import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProviderIndex.DocumentVersion;
+
+import java.io.IOException;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+import java.util.Map;
+
+import static org.hamcrest.Matchers.containsInAnyOrder;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.greaterThanOrEqualTo;
+import static org.hamcrest.Matchers.instanceOf;
+import static org.hamcrest.Matchers.notNullValue;
+
+public class ManageServiceProviderRestIT extends IdpRestTestCase {
+
+    // From build.gradle
+    private final String IDP_ENTITY_ID = "https://idp.test.es.elasticsearch.org/";
+    // From SAMLConstants
+    private final String REDIRECT_BINDING = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect";
+
+    public void testCreateAndDeleteServiceProvider() throws Exception {
+        final String entityId = "ec:" + randomAlphaOfLength(8) + ":" + randomAlphaOfLength(12);
+        final Map<String, Object> request = Map.ofEntries(
+            Map.entry("name", "Test SP"),
+            Map.entry("acs", "https://sp1.test.es.elasticsearch.org/saml/acs"),
+            Map.entry("privileges", Map.ofEntries(
+                Map.entry("resource", entityId),
+                Map.entry("roles", Map.of("superuser", "role:superuser", "viewer", "role:viewer"))
+            )),
+            Map.entry("attributes", Map.ofEntries(
+                Map.entry("principal", "https://idp.test.es.elasticsearch.org/attribute/principal"),
+                Map.entry("name", "https://idp.test.es.elasticsearch.org/attribute/name"),
+                Map.entry("email", "https://idp.test.es.elasticsearch.org/attribute/email"),
+                Map.entry("roles", "https://idp.test.es.elasticsearch.org/attribute/roles")
+            )));
+        final DocumentVersion docVersion = createServiceProvider(entityId, request);
+        checkIndexDoc(docVersion);
+        ensureGreen(SamlServiceProviderIndex.INDEX_NAME);
+        getMetaData(entityId);
+        deleteServiceProvider(entityId, docVersion);
+        expectThrows(ResponseException.class, () -> getMetaData(entityId));
+        expectThrows(ResponseException.class, () -> deleteServiceProvider(entityId, docVersion));
+    }
+
+    private DocumentVersion createServiceProvider(String entityId, Map<String, Object> body) throws IOException {
+        final Request request = new Request("PUT", "/_idp/saml/sp/" + encode(entityId) + "?refresh=" + RefreshPolicy.IMMEDIATE.getValue());
+        final String entity = Strings.toString(JsonXContent.contentBuilder().map(body));
+        request.setJsonEntity(entity);
+        final Response response = client().performRequest(request);
+        final Map<String, Object> map = entityAsMap(response);
+        assertThat(ObjectPath.eval("service_provider.entity_id", map), equalTo(entityId));
+        assertThat(ObjectPath.eval("service_provider.enabled", map), equalTo(true));
+
+        final Object docId = ObjectPath.eval("document._id", map);
+        final Object seqNo = ObjectPath.eval("document._seq_no", map);
+        final Object primaryTerm = ObjectPath.eval("document._primary_term", map);
+        assertThat(docId, instanceOf(String.class));
+        assertThat(seqNo, instanceOf(Number.class));
+        assertThat(primaryTerm, instanceOf(Number.class));
+        return new DocumentVersion((String) docId, asLong(primaryTerm), asLong(seqNo));
+    }
+
+    private void checkIndexDoc(DocumentVersion docVersion) throws IOException {
+        final Request request = new Request("GET", SamlServiceProviderIndex.INDEX_NAME + "/_doc/" + docVersion.id);
+        final Response response = adminClient().performRequest(request);
+        final Map<String, Object>
+            map = entityAsMap(response);
+        assertThat(map.get("_index"), equalTo(SamlServiceProviderIndex.INDEX_NAME));
+        assertThat(map.get("_id"), equalTo(docVersion.id));
+        assertThat(asLong(map.get("_seq_no")), equalTo(docVersion.seqNo));
+        assertThat(asLong(map.get("_primary_term")), equalTo(docVersion.primaryTerm));
+    }
+
+    private void deleteServiceProvider(String entityId, DocumentVersion version) throws IOException {
+        final Response response = client().performRequest(new Request("DELETE",
+            "/_idp/saml/sp/" + encode(entityId) + "?refresh=" + RefreshPolicy.IMMEDIATE.getValue()));
+        final Map<String, Object> map = entityAsMap(response);
+
+        assertThat(ObjectPath.eval("document._id", map), equalTo(version.id));
+
+        Long seqNo = asLong(ObjectPath.eval("document._seq_no", map));
+        Long primaryTerm = asLong(ObjectPath.eval("document._primary_term", map));
+        if (primaryTerm == version.primaryTerm) {
+            assertThat(seqNo, greaterThanOrEqualTo(version.seqNo));
+        } else {
+            assertThat(primaryTerm, greaterThanOrEqualTo(version.primaryTerm));
+        }
+
+        assertThat(ObjectPath.eval("service_provider.entity_id", map), equalTo(entityId));
+    }
+
+    private void getMetaData(String entityId) throws IOException {
+        final Map<String, Object> map = getAsMap("/_idp/saml/metadata/" + encode(entityId));
+        assertThat(map, notNullValue());
+        assertThat(map.keySet(), containsInAnyOrder("metadata"));
+        final Object metadata = map.get("metadata");
+        assertThat(metadata, notNullValue());
+        assertThat(metadata, instanceOf(String.class));
+        assertThat((String) metadata, containsString(IDP_ENTITY_ID));
+        assertThat((String) metadata, containsString(REDIRECT_BINDING));
+    }
+
+    private String encode(String param) {
+        return URLEncoder.encode(param, StandardCharsets.UTF_8);
+    }
+
+    private Long asLong(Object val) {
+        if (val == null) {
+            return null;
+        }
+        if (val instanceof Long) {
+            return (Long) val;
+        }
+        if (val instanceof Number) {
+            return ((Number) val).longValue();
+        }
+        if (val instanceof String) {
+            return Long.parseLong((String) val);
+        }
+        throw new IllegalArgumentException("Value [" + val + "] of type [" + val.getClass() + "] is not a Long");
+    }
+}

x-pack/plugin/identity-provider/qa/idp-rest-tests/src/test/resources/idp-sign.crt

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDoDCCAoigAwIBAgIVAPVpXjny5MCPPsCCGvInDfZQu+4JMA0GCSqGSIb3DQEB
+CwUAMF8xEzARBgoJkiaJk/IsZAEZFgNvcmcxHTAbBgoJkiaJk/IsZAEZFg1lbGFz
+dGljc2VhcmNoMQswCQYDVQQLEwJlczENMAsGA1UECxMEdGVzdDENMAsGA1UEAxME
+c2lnbjAeFw0yMDAzMTMwNDAzNDFaFw00NzA3MjkwNDAzNDFaMF8xEzARBgoJkiaJ
+k/IsZAEZFgNvcmcxHTAbBgoJkiaJk/IsZAEZFg1lbGFzdGljc2VhcmNoMQswCQYD
+VQQLEwJlczENMAsGA1UECxMEdGVzdDENMAsGA1UEAxMEc2lnbjCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAI/JK5IlwBixo2mqX8wDnH2F+tXDJKU8uNez
+oulYFVMp17iK41sOIwCInd6DGDJPkgIIkobnmp3gDgnLckzApC8Ck9xmnjmEQdg+
+gZO1gtgBVU6Lj8haCzPUMVszGodlraeaRMTIBrNG6GPMo/PN5hj2vyC383jiDlE9
+K3I+Y0rxhnPj6Ic3aTO/bXiMG4FiIvag/ViITnvkL1mREwF9JER40dgQoaJJJFTf
+jcWYnd1q9FDlIhylj2KJwXhOkSZ5znGM93b3GZ5VZUm8zzMlq/RzyywDet2jyOSr
+Bn9X3lrp0fPjfhTW+O/+2G/k6bVP29BYJ5Im+JVjjaYbYFI5pQ0CAwEAAaNTMFEw
+HQYDVR0OBBYEFEghxQTreebAJEak+zywt5B/LpaLMB8GA1UdIwQYMBaAFEghxQTr
+eebAJEak+zywt5B/LpaLMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQAD
+ggEBACtGNnaUK4UtKPOSg7fOW3/tIJoPhriuSlAdqQxNRYjkdmPJsY7Gra/kikCm
+0dRUbttMTfOqwZwu5KdKJUo3duXKpRVK3emFDixM8FxFbhtA19+Newzcp6mS0K0T
+4wqAI5jH/a+eHJb6hDWuCrm9RICxXwqpUdn3HfJrYQzsOCuecTAy60jfxjjZeZxA
+MRIARkhaHQeOdX3rg5v9kWzFXRD0Y7nlqqqCa0el2gs9yZqjDYRMFzz8z4qN9q2N
+zjohhxgIwuWK+0R6qOIg3XK53kdh6YjgWqlGn1aX9z7ztqlDmiD7LIsPgWL2BARh
+WOexDVOg4wTpACOt4c84VVAVt98=
+-----END CERTIFICATE-----

x-pack/plugin/identity-provider/qa/idp-rest-tests/src/test/resources/idp-sign.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAj8krkiXAGLGjaapfzAOcfYX61cMkpTy417Oi6VgVUynXuIrj
+Ww4jAIid3oMYMk+SAgiShueaneAOCctyTMCkLwKT3GaeOYRB2D6Bk7WC2AFVTouP
+yFoLM9QxWzMah2Wtp5pExMgGs0boY8yj883mGPa/ILfzeOIOUT0rcj5jSvGGc+Po
+hzdpM79teIwbgWIi9qD9WIhOe+QvWZETAX0kRHjR2BChokkkVN+NxZid3Wr0UOUi
+HKWPYonBeE6RJnnOcYz3dvcZnlVlSbzPMyWr9HPLLAN63aPI5KsGf1feWunR8+N+
+FNb47/7Yb+TptU/b0Fgnkib4lWONphtgUjmlDQIDAQABAoIBAFxba5FEjk9OSxjk
+RwRUjYBTPvtvjWpVxqVGza301j3E8rum+sLSIcmF92Gl8zTdx3tm5jehLL+b22iP
+Nav3UX6guTko8RkgyuqLu8+VF6aHtLPvETwwGmIAOnPKL5Aoz5KIlQORODyPn1X7
+bJR9/P6r/7iUb9+F1Ix6Lh4D1OOdqDKuEyIJBOjMuxtECq15tth6Ufmvp5mupT4x
+J5z9RqX36hoOWf4NvAv2YochDSvjYHZMVXsYgu2445ws36I3MGnMuIixDdvVbbtx
+NkUup+tNOZA2669OKwH+D71MGVKKiPq1W5R6J0LuBKdai1LgNLfFcNB27mcOXwaL
+BdRd6EECgYEA1lZYvobU27TdQkA/s+PaUAKw/3/tF/9sVe5V2vA4n15Fgd8KY3BO
+LzPSehBL1EOnyLccKi1K7PHOC/3NrM5Hxon9R5SIY5L8hfK1hVVONdUFgAsElzlf
+OOhsmRXs3Qq1qVfzW7ViipOUTGOYbTo7wSFZr9+rdh2WolhestmCFgMCgYEAq7wb
+VFOyyL267r9CvFsMB8Yy3xMTFJGLadVZJw0N0Em/nt9JEHxFhrr3lSJaYjAW+BHG
+82n3TUODdejwCSFGpI3E/nibhvgopmnQZm8uE8mtULDN388eKbh3iGR7He2dLJEM
+5bG8p5eLGM99god2hu54VYIsgf5jT2WcsAFOM68CgYAjPHK+b8ASlntBZvqSAkVj
+ne2nM0qxBUa0Ichvg8prOL5IiXhVvKK909EoTAGLVcwBjUjODkAhD+eFxSXI4Oif
+1ROUbvC1HfbxtmLtFocTBoAu+qC4k6/51Qv1ZstX02jl/BV/4CPhED3zCPSIEGi+
+aVMrPKQdeOPIsKpw0J04LQKBgCbRqGPRX5JcwMqC1TT6Z6fCN3GRQDjgBWFw5mwb
+WUoBwZzJ4Bwn2xdvX9OIJmIXeLmuWwhepZYDcs3OT6Pgr7U2jpbu8Ej8A0RKmt7s
+tr+mUNTygjba/Hh1yB8+h03mjiaqyv2IxZokeT6seDRvJm2trem2ORVRSWWDFH38
+bY7lAoGAGTsziUtoWbuly66fBjT7XTYDiKgYqn7xz4vyH+KoQ1meqpRqvuC8jkEn
+Ai2ne441btCrsZsH44msc/ss543XHv+Ybqp4aNK0VU72lsYcSMGYtsWCpDAGkZU0
+4zjkGDa+AzdAf2XDAsL+SiaMuDJ8wKovfLpgCkoryQ0Iwdfjkh0=
+-----END RSA PRIVATE KEY-----

x-pack/plugin/identity-provider/qa/idp-rest-tests/src/test/resources/roles.yml

@@ -0,0 +1,6 @@
+# A basic role that is used to call the IdP's APIs
+idp_role:
+  cluster:
+    - monitor
+    - "cluster:admin/idp/*"
+

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/IdentityProviderPlugin.java

@@ -0,0 +1,160 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.idp;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.elasticsearch.action.ActionRequest;
+import org.elasticsearch.action.ActionResponse;
+import org.elasticsearch.client.Client;
+import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
+import org.elasticsearch.cluster.node.DiscoveryNodes;
+import org.elasticsearch.cluster.service.ClusterService;
+import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
+import org.elasticsearch.common.settings.ClusterSettings;
+import org.elasticsearch.common.settings.IndexScopedSettings;
+import org.elasticsearch.common.settings.Setting;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.settings.SettingsFilter;
+import org.elasticsearch.common.xcontent.NamedXContentRegistry;
+import org.elasticsearch.env.Environment;
+import org.elasticsearch.env.NodeEnvironment;
+import org.elasticsearch.license.XPackLicenseState;
+import org.elasticsearch.plugins.ActionPlugin;
+import org.elasticsearch.plugins.Plugin;
+import org.elasticsearch.rest.RestController;
+import org.elasticsearch.rest.RestHandler;
+import org.elasticsearch.script.ScriptService;
+import org.elasticsearch.threadpool.ThreadPool;
+import org.elasticsearch.watcher.ResourceWatcherService;
+import org.elasticsearch.xpack.core.XPackPlugin;
+import org.elasticsearch.xpack.core.security.SecurityContext;
+import org.elasticsearch.xpack.core.ssl.X509KeyPairSettings;
+import org.elasticsearch.xpack.idp.action.DeleteSamlServiceProviderAction;
+import org.elasticsearch.xpack.idp.action.PutSamlServiceProviderAction;
+import org.elasticsearch.xpack.idp.action.SamlInitiateSingleSignOnAction;
+import org.elasticsearch.xpack.idp.action.SamlMetadataAction;
+import org.elasticsearch.xpack.idp.action.SamlValidateAuthnRequestAction;
+import org.elasticsearch.xpack.idp.action.TransportDeleteSamlServiceProviderAction;
+import org.elasticsearch.xpack.idp.action.TransportPutSamlServiceProviderAction;
+import org.elasticsearch.xpack.idp.action.TransportSamlInitiateSingleSignOnAction;
+import org.elasticsearch.xpack.idp.action.TransportSamlMetadataAction;
+import org.elasticsearch.xpack.idp.action.TransportSamlValidateAuthnRequestAction;
+import org.elasticsearch.xpack.idp.privileges.UserPrivilegeResolver;
+import org.elasticsearch.xpack.idp.saml.rest.action.RestDeleteSamlServiceProviderAction;
+import org.elasticsearch.xpack.idp.saml.idp.SamlIdentityProvider;
+import org.elasticsearch.xpack.idp.saml.sp.ServiceProviderDefaults;
+import org.elasticsearch.xpack.idp.saml.idp.SamlIdentityProviderBuilder;
+import org.elasticsearch.xpack.idp.saml.rest.action.RestSamlMetadataAction;
+import org.elasticsearch.xpack.idp.saml.rest.action.RestSamlInitiateSingleSignOnAction;
+import org.elasticsearch.xpack.idp.saml.rest.action.RestSamlValidateAuthenticationRequestAction;
+import org.elasticsearch.xpack.idp.saml.support.SamlFactory;
+import org.elasticsearch.xpack.idp.saml.support.SamlInit;
+import org.elasticsearch.xpack.idp.saml.rest.action.RestPutSamlServiceProviderAction;
+import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProviderIndex;
+import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProviderResolver;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+import java.util.function.Supplier;
+
+/**
+ * This plugin provides the backend for an IdP built on top of Elasticsearch security features.
+ * It is used internally within Elastic and is not intended for general use.
+ */
+public class IdentityProviderPlugin extends Plugin implements ActionPlugin {
+
+    private static final Setting<Boolean> ENABLED_SETTING = Setting.boolSetting("xpack.idp.enabled", false, Setting.Property.NodeScope);
+
+    private final Logger logger = LogManager.getLogger();
+    private boolean enabled;
+    private Settings settings;
+
+    @Override
+    public Collection<Object> createComponents(Client client, ClusterService clusterService, ThreadPool threadPool,
+                                               ResourceWatcherService resourceWatcherService, ScriptService scriptService,
+                                               NamedXContentRegistry xContentRegistry, Environment environment,
+                                               NodeEnvironment nodeEnvironment, NamedWriteableRegistry namedWriteableRegistry,
+                                               IndexNameExpressionResolver indexNameExpressionResolver) {
+        settings = environment.settings();
+        enabled = ENABLED_SETTING.get(settings);
+        if (enabled == false) {
+            return List.of();
+        }
+
+        SamlInit.initialize();
+        final SamlServiceProviderIndex index = new SamlServiceProviderIndex(client, clusterService);
+        final SecurityContext securityContext = new SecurityContext(settings, threadPool.getThreadContext());
+        final UserPrivilegeResolver userPrivilegeResolver = new UserPrivilegeResolver(client, securityContext);
+
+
+        final ServiceProviderDefaults serviceProviderDefaults = ServiceProviderDefaults.forSettings(settings);
+        final SamlServiceProviderResolver resolver = new SamlServiceProviderResolver(settings, index, serviceProviderDefaults);
+        final SamlIdentityProvider idp = SamlIdentityProvider.builder(resolver)
+            .fromSettings(environment)
+            .serviceProviderDefaults(serviceProviderDefaults)
+            .build();
+
+        final SamlFactory factory = new SamlFactory();
+
+        return List.of(
+            index,
+            idp,
+            factory,
+            userPrivilegeResolver
+        );
+    }
+
+    @Override
+    public List<ActionHandler<? extends ActionRequest, ? extends ActionResponse>> getActions() {
+        if (enabled == false) {
+            return List.of();
+        }
+        return List.of(
+            new ActionHandler<>(SamlInitiateSingleSignOnAction.INSTANCE, TransportSamlInitiateSingleSignOnAction.class),
+            new ActionHandler<>(SamlValidateAuthnRequestAction.INSTANCE, TransportSamlValidateAuthnRequestAction.class),
+            new ActionHandler<>(SamlMetadataAction.INSTANCE, TransportSamlMetadataAction.class),
+            new ActionHandler<>(PutSamlServiceProviderAction.INSTANCE, TransportPutSamlServiceProviderAction.class),
+            new ActionHandler<>(DeleteSamlServiceProviderAction.INSTANCE, TransportDeleteSamlServiceProviderAction.class)
+        );
+    }
+
+    @Override
+    public List<RestHandler> getRestHandlers(Settings settings, RestController restController, ClusterSettings clusterSettings,
+                                             IndexScopedSettings indexScopedSettings, SettingsFilter settingsFilter,
+                                             IndexNameExpressionResolver indexNameExpressionResolver,
+                                             Supplier<DiscoveryNodes> nodesInCluster) {
+        if (enabled == false) {
+            return List.of();
+        }
+        return List.of(
+            new RestSamlInitiateSingleSignOnAction(getLicenseState()),
+            new RestSamlValidateAuthenticationRequestAction(getLicenseState()),
+            new RestSamlMetadataAction(getLicenseState()),
+            new RestPutSamlServiceProviderAction(getLicenseState()),
+            new RestDeleteSamlServiceProviderAction(getLicenseState())
+        );
+    }
+
+    @Override
+    public List<Setting<?>> getSettings() {
+        List<Setting<?>> settings = new ArrayList<>();
+        settings.add(ENABLED_SETTING);
+        settings.addAll(SamlIdentityProviderBuilder.getSettings());
+        settings.addAll(ServiceProviderDefaults.getSettings());
+        settings.addAll(X509KeyPairSettings.withPrefix("xpack.idp.signing.", false).getAllSettings());
+        settings.addAll(X509KeyPairSettings.withPrefix("xpack.idp.metadata_signing.", false).getAllSettings());
+        return Collections.unmodifiableList(settings);
+    }
+
+    protected XPackLicenseState getLicenseState() {
+        return XPackPlugin.getSharedLicenseState();
+    }
+
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/action/DeleteSamlServiceProviderAction.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.idp.action;
+
+import org.elasticsearch.action.ActionType;
+
+/**
+ * Action to remove a service provider from the IdP.
+ */
+public class DeleteSamlServiceProviderAction extends ActionType<DeleteSamlServiceProviderResponse> {
+
+    public static final String NAME = "cluster:admin/idp/saml/sp/delete";
+    public static final DeleteSamlServiceProviderAction INSTANCE = new DeleteSamlServiceProviderAction(NAME);
+
+    public DeleteSamlServiceProviderAction(String name) {
+        super(name, DeleteSamlServiceProviderResponse::new);
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/action/DeleteSamlServiceProviderRequest.java

@@ -0,0 +1,79 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.idp.action;
+
+import org.elasticsearch.action.ActionRequest;
+import org.elasticsearch.action.ActionRequestValidationException;
+import org.elasticsearch.action.support.WriteRequest;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+
+import java.io.IOException;
+import java.util.Objects;
+
+import static org.elasticsearch.action.ValidateActions.addValidationError;
+
+/**
+ * Request object to remove a service provider (by Entity ID) from the IdP.
+ */
+public class DeleteSamlServiceProviderRequest extends ActionRequest {
+
+    private final String entityId;
+    private final WriteRequest.RefreshPolicy refreshPolicy;
+
+    public DeleteSamlServiceProviderRequest(String entityId, WriteRequest.RefreshPolicy refreshPolicy) {
+        this.entityId = entityId;
+        this.refreshPolicy = Objects.requireNonNull(refreshPolicy, "Refresh policy may not be null");
+    }
+
+    public DeleteSamlServiceProviderRequest(StreamInput in) throws IOException {
+        this.entityId = in.readString();
+        this.refreshPolicy = WriteRequest.RefreshPolicy.readFrom(in);
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        out.writeString(entityId);
+        refreshPolicy.writeTo(out);
+    }
+
+    public String getEntityId() {
+        return entityId;
+    }
+
+    public WriteRequest.RefreshPolicy getRefreshPolicy() {
+        return refreshPolicy;
+    }
+
+    @Override
+    public ActionRequestValidationException validate() {
+        ActionRequestValidationException validationException = null;
+        if (Strings.isNullOrEmpty(entityId)) {
+            validationException = addValidationError("The Service Provider Entity ID is required", validationException);
+        }
+        return validationException;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+        final DeleteSamlServiceProviderRequest that = (DeleteSamlServiceProviderRequest) o;
+        return Objects.equals(entityId, that.entityId);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(entityId, refreshPolicy);
+    }
+
+    @Override
+    public String toString() {
+        return getClass().getSimpleName() + "{" + entityId + "," + refreshPolicy + "}";
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/action/DeleteSamlServiceProviderResponse.java

@@ -0,0 +1,99 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.idp.action;
+
+import org.elasticsearch.action.ActionResponse;
+import org.elasticsearch.action.delete.DeleteResponse;
+import org.elasticsearch.common.Nullable;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+import org.elasticsearch.common.xcontent.ToXContentObject;
+import org.elasticsearch.common.xcontent.XContentBuilder;
+
+import java.io.IOException;
+import java.util.Objects;
+
+import static org.elasticsearch.index.seqno.SequenceNumbers.UNASSIGNED_PRIMARY_TERM;
+import static org.elasticsearch.index.seqno.SequenceNumbers.UNASSIGNED_SEQ_NO;
+
+/**
+ * Response object after removing a service provider from the IdP.
+ */
+public class DeleteSamlServiceProviderResponse extends ActionResponse implements ToXContentObject {
+
+    private final String docId;
+    private final long seqNo;
+    private final long primaryTerm;
+    private final String entityId;
+
+    public DeleteSamlServiceProviderResponse(String docId, long seqNo, long primaryTerm, String entityId) {
+        this.docId = docId;
+        this.seqNo = seqNo;
+        this.primaryTerm = primaryTerm;
+        this.entityId = Objects.requireNonNull(entityId, "Entity Id cannot be null");
+    }
+
+    public DeleteSamlServiceProviderResponse(DeleteResponse deleteResponse, String entityId) {
+        this(deleteResponse == null ? null : deleteResponse.getId(),
+            deleteResponse == null ? UNASSIGNED_SEQ_NO : deleteResponse.getSeqNo(),
+            deleteResponse == null ? UNASSIGNED_PRIMARY_TERM : deleteResponse.getPrimaryTerm(),
+            entityId);
+    }
+
+    public DeleteSamlServiceProviderResponse(StreamInput in) throws IOException {
+        docId = in.readString();
+        seqNo = in.readZLong();
+        primaryTerm = in.readVLong();
+        entityId = in.readString();
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        out.writeString(docId);
+        out.writeZLong(seqNo);
+        out.writeVLong(primaryTerm);
+        out.writeString(entityId);
+    }
+
+    @Nullable
+    public String getDocId() {
+        return docId;
+    }
+
+    public long getSeqNo() {
+        return seqNo;
+    }
+
+    public long getPrimaryTerm() {
+        return primaryTerm;
+    }
+
+    public String getEntityId() {
+        return entityId;
+    }
+
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+        builder.startObject();
+
+        builder.startObject("document");
+        builder.field("_id", docId);
+        builder.field("_seq_no", seqNo);
+        builder.field("_primary_term", primaryTerm);
+        builder.endObject();
+
+        builder.startObject("service_provider");
+        builder.field("entity_id", entityId);
+        builder.endObject();
+
+        return builder.endObject();
+    }
+
+    public boolean found() {
+        return docId != null;
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/action/PutSamlServiceProviderAction.java

@@ -0,0 +1,19 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.idp.action;
+
+import org.elasticsearch.action.ActionType;
+
+public class PutSamlServiceProviderAction extends ActionType<PutSamlServiceProviderResponse> {
+
+    public static final String NAME = "cluster:admin/idp/saml/sp/put";
+    public static final PutSamlServiceProviderAction INSTANCE = new PutSamlServiceProviderAction(NAME);
+
+    public PutSamlServiceProviderAction(String name) {
+        super(name, PutSamlServiceProviderResponse::new);
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/action/PutSamlServiceProviderRequest.java

@@ -0,0 +1,138 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.idp.action;
+
+import org.elasticsearch.ElasticsearchParseException;
+import org.elasticsearch.action.ActionRequest;
+import org.elasticsearch.action.ActionRequestValidationException;
+import org.elasticsearch.action.support.WriteRequest;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.ValidationException;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+import org.elasticsearch.common.xcontent.XContentParser;
+import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProviderDocument;
+
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.Objects;
+
+import static org.elasticsearch.action.ValidateActions.addValidationError;
+
+public class PutSamlServiceProviderRequest extends ActionRequest {
+    public static final WriteRequest.RefreshPolicy DEFAULT_REFRESH_POLICY = WriteRequest.RefreshPolicy.NONE;
+
+    private final SamlServiceProviderDocument document;
+    private final WriteRequest.RefreshPolicy refreshPolicy;
+
+    public static PutSamlServiceProviderRequest fromXContent(String entityId, WriteRequest.RefreshPolicy refreshPolicy,
+                                                             XContentParser parser) throws IOException {
+        final SamlServiceProviderDocument document = SamlServiceProviderDocument.fromXContent(null, parser);
+        if (document.entityId == null) {
+            document.setEntityId(entityId);
+        } else if (entityId != null) {
+            if (entityId.equals(document.entityId) == false) {
+                throw new ElasticsearchParseException(
+                    "Entity id [{}] inside request body and entity id [{}] from parameter do not match", document.entityId, entityId);
+            }
+        }
+        if (document.created != null) {
+            throw new ElasticsearchParseException(
+                "Field [{}] may not be specified in a request", SamlServiceProviderDocument.Fields.CREATED_DATE);
+        }
+        if (document.lastModified != null) {
+            throw new ElasticsearchParseException(
+                "Field [{}] may not be specified in a request", SamlServiceProviderDocument.Fields.LAST_MODIFIED);
+        }
+        document.setCreatedMillis(System.currentTimeMillis());
+        document.setLastModifiedMillis(System.currentTimeMillis());
+        return new PutSamlServiceProviderRequest(document, refreshPolicy);
+    }
+
+    public PutSamlServiceProviderRequest(SamlServiceProviderDocument document, WriteRequest.RefreshPolicy refreshPolicy) {
+        this.document = document;
+        this.refreshPolicy = refreshPolicy;
+    }
+
+    public PutSamlServiceProviderRequest(StreamInput in) throws IOException {
+        this.document = new SamlServiceProviderDocument(in);
+        this.refreshPolicy = WriteRequest.RefreshPolicy.readFrom(in);
+    }
+
+    public WriteRequest.RefreshPolicy getRefreshPolicy() {
+        return refreshPolicy;
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        document.writeTo(out);
+        refreshPolicy.writeTo(out);
+    }
+
+    public SamlServiceProviderDocument getDocument() {
+        return document;
+    }
+
+    @Override
+    public ActionRequestValidationException validate() {
+        final ValidationException docException = document.validate();
+        ActionRequestValidationException validationException = null;
+        if (docException != null) {
+            validationException = new ActionRequestValidationException();
+            validationException.addValidationErrors(docException.validationErrors());
+        }
+
+        if (Strings.hasText(document.acs)) { // if this is blank the document validation will fail
+            try {
+                final URL url = new URL(document.acs);
+                if (url.getProtocol().equals("https") == false) {
+                    validationException = addValidationError(
+                        "[" + SamlServiceProviderDocument.Fields.ACS + "] must use the [https] protocol", validationException);
+                }
+            } catch (MalformedURLException e) {
+                String error = "[" + SamlServiceProviderDocument.Fields.ACS + "] must be a valid URL";
+                if (e.getMessage() != null) {
+                    error += " - " + e.getMessage();
+                }
+                validationException = addValidationError(error, validationException);
+            }
+        }
+
+        if (document.certificates.identityProviderSigning.isEmpty() == false) {
+            validationException = addValidationError(
+                "[" + SamlServiceProviderDocument.Fields.Certificates.IDP_SIGNING + "] certificates may not be specified",
+                validationException);
+        }
+
+        if (document.certificates.identityProviderMetadataSigning.isEmpty() == false) {
+            validationException = addValidationError(
+                "[" + SamlServiceProviderDocument.Fields.Certificates.IDP_METADATA + "] certificates may not be specified",
+                validationException);
+        }
+
+        return validationException;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+        final PutSamlServiceProviderRequest that = (PutSamlServiceProviderRequest) o;
+        return Objects.equals(document, that.document);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(document);
+    }
+
+    @Override
+    public String toString() {
+        return getClass().getSimpleName() + "{" + document + "}";
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/action/PutSamlServiceProviderResponse.java

@@ -0,0 +1,97 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.idp.action;
+
+import org.elasticsearch.action.ActionResponse;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+import org.elasticsearch.common.xcontent.ToXContentObject;
+import org.elasticsearch.common.xcontent.XContentBuilder;
+
+import java.io.IOException;
+import java.util.Objects;
+
+public class PutSamlServiceProviderResponse extends ActionResponse implements ToXContentObject {
+
+    private final String docId;
+    private final boolean created;
+    private final long seqNo;
+    private final long primaryTerm;
+    private final String entityId;
+    private final boolean enabled;
+
+    public PutSamlServiceProviderResponse(String docId, boolean created, long seqNo, long primaryTerm, String entityId, boolean enabled) {
+        this.docId = Objects.requireNonNull(docId, "Document Id cannot be null");
+        this.created = created;
+        this.seqNo = seqNo;
+        this.primaryTerm = primaryTerm;
+        this.entityId = Objects.requireNonNull(entityId, "Entity Id cannot be null");
+        this.enabled = enabled;
+    }
+
+    public PutSamlServiceProviderResponse(StreamInput in) throws IOException {
+        docId = in.readString();
+        created = in.readBoolean();
+        seqNo = in.readZLong();
+        primaryTerm = in.readVLong();
+        entityId = in.readString();
+        enabled = in.readBoolean();
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        out.writeString(docId);
+        out.writeBoolean(created);
+        out.writeZLong(seqNo);
+        out.writeVLong(primaryTerm);
+        out.writeString(entityId);
+        out.writeBoolean(enabled);
+    }
+
+    public String getDocId() {
+        return docId;
+    }
+
+    public boolean isCreated() {
+        return created;
+    }
+
+    public long getSeqNo() {
+        return seqNo;
+    }
+
+    public long getPrimaryTerm() {
+        return primaryTerm;
+    }
+
+    public String getEntityId() {
+        return entityId;
+    }
+
+    public boolean isEnabled() {
+        return enabled;
+    }
+
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+        builder.startObject();
+
+        builder.startObject("document");
+        builder.field("_id", docId);
+        builder.field("_created", created);
+        builder.field("_seq_no", seqNo);
+        builder.field("_primary_term", primaryTerm);
+        builder.endObject();
+
+        builder.startObject("service_provider");
+        builder.field("entity_id", entityId);
+        builder.field("enabled", enabled);
+        builder.endObject();
+
+        return builder.endObject();
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/action/SamlInitiateSingleSignOnAction.java

@@ -0,0 +1,21 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.idp.action;
+
+import org.elasticsearch.action.ActionType;
+
+/**
+ * ActionType to create a SAML Response in the context of IDP initiated SSO for a given SP
+ */
+public class SamlInitiateSingleSignOnAction extends ActionType<SamlInitiateSingleSignOnResponse> {
+
+    public static final String NAME = "cluster:admin/idp/saml/init";
+    public static final SamlInitiateSingleSignOnAction INSTANCE = new SamlInitiateSingleSignOnAction();
+
+    private SamlInitiateSingleSignOnAction() {
+        super(NAME, SamlInitiateSingleSignOnResponse::new);
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/action/SamlInitiateSingleSignOnRequest.java

@@ -0,0 +1,78 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.idp.action;
+
+import org.elasticsearch.action.ActionRequest;
+import org.elasticsearch.action.ActionRequestValidationException;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.ValidationException;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+import org.elasticsearch.xpack.idp.saml.support.SamlAuthenticationState;
+
+import static org.elasticsearch.action.ValidateActions.addValidationError;
+
+import java.io.IOException;
+
+public class SamlInitiateSingleSignOnRequest extends ActionRequest {
+
+    private String spEntityId;
+    private SamlAuthenticationState samlAuthenticationState;
+
+    public SamlInitiateSingleSignOnRequest(StreamInput in) throws IOException {
+        super(in);
+        spEntityId = in.readString();
+        samlAuthenticationState = in.readOptionalWriteable(SamlAuthenticationState::new);
+    }
+
+    public SamlInitiateSingleSignOnRequest() {
+    }
+
+    @Override
+    public ActionRequestValidationException validate() {
+        ActionRequestValidationException validationException = null;
+        if (Strings.isNullOrEmpty(spEntityId)) {
+            validationException = addValidationError("entity_id is missing", validationException);
+        }
+        if (samlAuthenticationState != null) {
+            final ValidationException authnStateException = samlAuthenticationState.validate();
+            if (validationException != null) {
+                ActionRequestValidationException actionRequestValidationException = new ActionRequestValidationException();
+                actionRequestValidationException.addValidationErrors(authnStateException.validationErrors());
+                validationException = addValidationError("entity_id is missing", actionRequestValidationException);
+            }
+        }
+        return validationException;
+    }
+
+    public String getSpEntityId() {
+        return spEntityId;
+    }
+
+    public void setSpEntityId(String spEntityId) {
+        this.spEntityId = spEntityId;
+    }
+
+    public SamlAuthenticationState getSamlAuthenticationState() {
+        return samlAuthenticationState;
+    }
+
+    public void setSamlAuthenticationState(SamlAuthenticationState samlAuthenticationState) {
+        this.samlAuthenticationState = samlAuthenticationState;
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        super.writeTo(out);
+        out.writeString(spEntityId);
+        out.writeOptionalWriteable(samlAuthenticationState);
+    }
+
+    @Override
+    public String toString() {
+        return getClass().getSimpleName() + "{spEntityId='" + spEntityId + "'}";
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/action/SamlInitiateSingleSignOnResponse.java

@@ -0,0 +1,51 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.idp.action;
+
+import org.elasticsearch.action.ActionResponse;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+
+import java.io.IOException;
+
+public class SamlInitiateSingleSignOnResponse extends ActionResponse {
+
+    private String postUrl;
+    private String samlResponse;
+    private String entityId;
+
+    public SamlInitiateSingleSignOnResponse(StreamInput in) throws IOException {
+        super(in);
+        this.postUrl = in.readString();
+        this.samlResponse = in.readString();
+        this.entityId = in.readString();
+    }
+
+    public SamlInitiateSingleSignOnResponse(String postUrl, String samlResponse, String entityId) {
+        this.postUrl = postUrl;
+        this.samlResponse = samlResponse;
+        this.entityId = entityId;
+    }
+
+    public String getPostUrl() {
+        return postUrl;
+    }
+
+    public String getSamlResponse() {
+        return samlResponse;
+    }
+
+    public String getEntityId() {
+        return entityId;
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        out.writeString(postUrl);
+        out.writeString(samlResponse);
+        out.writeString(entityId);
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/action/SamlMetadataAction.java

@@ -0,0 +1,18 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.idp.action;
+
+import org.elasticsearch.action.ActionType;
+
+public class SamlMetadataAction extends ActionType<SamlMetadataResponse> {
+
+    public static final String NAME = "cluster:admin/idp/saml/metadata";
+    public static final SamlMetadataAction INSTANCE = new SamlMetadataAction();
+
+    private SamlMetadataAction() {
+        super(NAME, SamlMetadataResponse::new);
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/action/SamlMetadataRequest.java

@@ -0,0 +1,50 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.idp.action;
+
+import org.elasticsearch.action.ActionRequest;
+import org.elasticsearch.action.ActionRequestValidationException;
+import org.elasticsearch.common.io.stream.StreamInput;
+
+import java.io.IOException;
+import java.util.Objects;
+
+public class SamlMetadataRequest extends ActionRequest {
+
+    private String spEntityId;
+
+    public SamlMetadataRequest(StreamInput in) throws IOException {
+        super(in);
+        spEntityId = in.readString();
+    }
+
+    public SamlMetadataRequest(String spEntityId) {
+        this.spEntityId = Objects.requireNonNull(spEntityId, "Service Provider entity id must be provided");
+    }
+
+    public SamlMetadataRequest() {
+        this.spEntityId = null;
+    }
+
+    @Override
+    public ActionRequestValidationException validate() {
+        return null;
+    }
+
+    public String getSpEntityId() {
+        return spEntityId;
+    }
+
+    public void setSpEntityId(String spEntityId) {
+        this.spEntityId = spEntityId;
+    }
+
+    @Override
+    public String toString() {
+        return getClass().getSimpleName() + "{spEntityId='" + spEntityId + "'}";
+    }
+
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/action/SamlMetadataResponse.java

@@ -0,0 +1,36 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.idp.action;
+
+import org.elasticsearch.action.ActionResponse;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+
+import java.io.IOException;
+import java.util.Objects;
+
+public class SamlMetadataResponse extends ActionResponse {
+
+    private final String xmlString;
+
+    public SamlMetadataResponse(StreamInput in) throws IOException {
+        super(in);
+        this.xmlString = in.readString();
+    }
+
+    public SamlMetadataResponse(String xmlString) {
+        this.xmlString = Objects.requireNonNull(xmlString, "Metadata XML string must be provided");
+    }
+
+    public String getXmlString() {
+        return xmlString;
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        out.writeOptionalString(xmlString);
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/action/SamlValidateAuthnRequestAction.java

@@ -0,0 +1,18 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.idp.action;
+
+import org.elasticsearch.action.ActionType;
+
+public class SamlValidateAuthnRequestAction extends ActionType<SamlValidateAuthnRequestResponse> {
+
+    public static final String NAME = "cluster:admin/idp/saml/validate";
+    public static final SamlValidateAuthnRequestAction INSTANCE = new SamlValidateAuthnRequestAction();
+
+    private SamlValidateAuthnRequestAction() {
+        super(NAME, SamlValidateAuthnRequestResponse::new);
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/action/SamlValidateAuthnRequestRequest.java

@@ -0,0 +1,57 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.idp.action;
+
+import org.elasticsearch.action.ActionRequest;
+import org.elasticsearch.action.ActionRequestValidationException;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+
+import java.io.IOException;
+
+import static org.elasticsearch.action.ValidateActions.addValidationError;
+
+public class SamlValidateAuthnRequestRequest extends ActionRequest {
+
+    private String queryString;
+
+    public SamlValidateAuthnRequestRequest(StreamInput in) throws IOException {
+        super(in);
+        queryString = in.readString();
+    }
+
+    public SamlValidateAuthnRequestRequest() {
+    }
+
+    @Override
+    public ActionRequestValidationException validate() {
+        ActionRequestValidationException validationException = null;
+        if (Strings.isNullOrEmpty(queryString)) {
+            validationException = addValidationError("Authentication request query string must be provided", validationException);
+        }
+        return validationException;
+    }
+
+    public String getQueryString() {
+        return queryString;
+    }
+
+    public void setQueryString(String queryString) {
+        this.queryString = queryString;
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        super.writeTo(out);
+        out.writeString(queryString);
+    }
+
+    @Override
+    public String toString() {
+        return getClass().getSimpleName() + "{queryString='" + queryString + "'}";
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/action/SamlValidateAuthnRequestResponse.java

@@ -0,0 +1,60 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.idp.action;
+
+import org.elasticsearch.action.ActionResponse;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+
+import java.io.IOException;
+import java.util.Map;
+import java.util.Objects;
+
+public class SamlValidateAuthnRequestResponse extends ActionResponse {
+
+    private final String spEntityId;
+    private final boolean forceAuthn;
+    private final Map<String, Object> authnState;
+
+    public SamlValidateAuthnRequestResponse(StreamInput in) throws IOException {
+        super(in);
+        this.spEntityId = in.readString();
+        this.forceAuthn = in.readBoolean();
+        this.authnState = in.readMap();
+    }
+
+    public SamlValidateAuthnRequestResponse(String spEntityId, boolean forceAuthn, Map<String, Object> authnState) {
+        this.spEntityId = Objects.requireNonNull(spEntityId, "spEntityId is required for successful responses");
+        this.forceAuthn = forceAuthn;
+        this.authnState = Map.copyOf(Objects.requireNonNull(authnState));
+    }
+
+    public String getSpEntityId() {
+        return spEntityId;
+    }
+
+    public boolean isForceAuthn() {
+        return forceAuthn;
+    }
+
+    public Map<String, Object> getAuthnState() {
+        return authnState;
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        out.writeString(spEntityId);
+        out.writeBoolean(forceAuthn);
+        out.writeMap(authnState);
+    }
+
+    @Override
+    public String toString() {
+        return getClass().getSimpleName() + "{ spEntityId='" + getSpEntityId() + "',\n" +
+            " forceAuthn='" + isForceAuthn() + "',\n" +
+            " authnState='" + getAuthnState() + "' }";
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/action/TransportDeleteSamlServiceProviderAction.java

@@ -0,0 +1,62 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.idp.action;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.action.support.ActionFilters;
+import org.elasticsearch.action.support.HandledTransportAction;
+import org.elasticsearch.common.inject.Inject;
+import org.elasticsearch.common.util.iterable.Iterables;
+import org.elasticsearch.tasks.Task;
+import org.elasticsearch.transport.TransportService;
+import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProviderDocument;
+import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProviderIndex;
+
+import java.util.stream.Collectors;
+
+/**
+ * Transport action to remove a service provider from the IdP
+ */
+public class TransportDeleteSamlServiceProviderAction
+    extends HandledTransportAction<DeleteSamlServiceProviderRequest, DeleteSamlServiceProviderResponse> {
+
+    private final Logger logger = LogManager.getLogger();
+    private final SamlServiceProviderIndex index;
+
+    @Inject
+    public TransportDeleteSamlServiceProviderAction(TransportService transportService, ActionFilters actionFilters,
+                                                    SamlServiceProviderIndex index) {
+        super(DeleteSamlServiceProviderAction.NAME, transportService, actionFilters, DeleteSamlServiceProviderRequest::new);
+        this.index = index;
+    }
+
+    @Override
+    protected void doExecute(Task task, final DeleteSamlServiceProviderRequest request,
+                             final ActionListener<DeleteSamlServiceProviderResponse> listener) {
+        final String entityId = request.getEntityId();
+        index.findByEntityId(entityId, ActionListener.wrap(matchingDocuments -> {
+            if (matchingDocuments.isEmpty()) {
+                listener.onResponse(new DeleteSamlServiceProviderResponse(null, entityId));
+            } else if (matchingDocuments.size() == 1) {
+                final SamlServiceProviderIndex.DocumentSupplier docInfo = Iterables.get(matchingDocuments, 0);
+                final SamlServiceProviderDocument existingDoc = docInfo.getDocument();
+                assert existingDoc.docId != null : "Loaded document with no doc id";
+                assert existingDoc.entityId.equals(entityId) : "Loaded document with non-matching entity-id";
+                logger.info("Deleting Service Provider [{}]", existingDoc);
+                index.deleteDocument(docInfo.version, request.getRefreshPolicy(), ActionListener.wrap(
+                    deleteResponse -> listener.onResponse(new DeleteSamlServiceProviderResponse(deleteResponse, entityId)),
+                    listener::onFailure
+                ));
+            } else {
+                logger.warn("Found multiple existing service providers in [{}] with entity id [{}] - [{}]",
+                    index, entityId, matchingDocuments.stream().map(d -> d.getDocument().docId).collect(Collectors.joining(",")));
+                listener.onFailure(new IllegalStateException("Multiple service providers exist with entity id [" + entityId + "]"));
+            }
+        }, listener::onFailure));
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/action/TransportPutSamlServiceProviderAction.java

@@ -0,0 +1,120 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.idp.action;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.action.DocWriteRequest;
+import org.elasticsearch.action.DocWriteResponse;
+import org.elasticsearch.action.support.ActionFilters;
+import org.elasticsearch.action.support.HandledTransportAction;
+import org.elasticsearch.action.support.WriteRequest;
+import org.elasticsearch.common.ValidationException;
+import org.elasticsearch.common.hash.MessageDigests;
+import org.elasticsearch.common.inject.Inject;
+import org.elasticsearch.common.util.iterable.Iterables;
+import org.elasticsearch.tasks.Task;
+import org.elasticsearch.transport.TransportService;
+import org.elasticsearch.xpack.idp.saml.idp.SamlIdentityProvider;
+import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProviderDocument;
+import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProviderIndex;
+
+import java.nio.charset.StandardCharsets;
+import java.time.Clock;
+import java.time.Instant;
+import java.util.Base64;
+import java.util.stream.Collectors;
+
+public class TransportPutSamlServiceProviderAction
+    extends HandledTransportAction<PutSamlServiceProviderRequest, PutSamlServiceProviderResponse> {
+
+    private final Logger logger = LogManager.getLogger();
+    private final SamlServiceProviderIndex index;
+    private final SamlIdentityProvider identityProvider;
+    private final Clock clock;
+
+    @Inject
+    public TransportPutSamlServiceProviderAction(TransportService transportService, ActionFilters actionFilters,
+                                                 SamlServiceProviderIndex index, SamlIdentityProvider identityProvider) {
+        this(transportService, actionFilters, index, identityProvider, Clock.systemUTC());
+    }
+
+    TransportPutSamlServiceProviderAction(TransportService transportService, ActionFilters actionFilters,
+                                          SamlServiceProviderIndex index, SamlIdentityProvider identityProvider, Clock clock) {
+        super(PutSamlServiceProviderAction.NAME, transportService, actionFilters, PutSamlServiceProviderRequest::new);
+        this.index = index;
+        this.identityProvider = identityProvider;
+        this.clock = clock;
+    }
+
+    @Override
+    protected void doExecute(Task task, final PutSamlServiceProviderRequest request,
+                             final ActionListener<PutSamlServiceProviderResponse> listener) {
+        final SamlServiceProviderDocument document = request.getDocument();
+        if (document.docId != null) {
+            listener.onFailure(new IllegalArgumentException("request document must not have an id [" + document.docId + "]"));
+            return;
+        }
+        if (document.nameIdFormat != null && identityProvider.getAllowedNameIdFormats().contains(document.nameIdFormat) == false) {
+            listener.onFailure(new IllegalArgumentException("NameID format [" + document.nameIdFormat + "] is not supported."));
+            return;
+        }
+        index.findByEntityId(document.entityId, ActionListener.wrap(matchingDocuments -> {
+            if (matchingDocuments.isEmpty()) {
+                // derive a document id from the entity id so that don't accidentally create duplicate entities due to a race condition
+                document.docId = deriveDocumentId(document);
+                // force a create in case there are concurrent requests. This way, if two nodes/threads are trying to create the SP at
+                // the same time, one will fail. That's not ideal, but it's better than having 1 silently overwrite the other.
+                writeDocument(document, DocWriteRequest.OpType.CREATE, request.getRefreshPolicy(), listener);
+            } else if (matchingDocuments.size() == 1) {
+                final SamlServiceProviderDocument existingDoc = Iterables.get(matchingDocuments, 0).getDocument();
+                assert existingDoc.docId != null : "Loaded document with no doc id";
+                assert existingDoc.entityId.equals(document.entityId) : "Loaded document with non-matching entity-id";
+                document.setDocId(existingDoc.docId);
+                document.setCreated(existingDoc.created);
+                writeDocument(document, DocWriteRequest.OpType.INDEX, request.getRefreshPolicy(), listener);
+            } else {
+                logger.warn("Found multiple existing service providers in [{}] with entity id [{}] - [{}]",
+                    index, document.entityId, matchingDocuments.stream().map(d -> d.getDocument().docId).collect(Collectors.joining(",")));
+                listener.onFailure(new IllegalStateException(
+                    "Multiple service providers already exist with entity id [" + document.entityId + "]"));
+            }
+        }, listener::onFailure));
+    }
+
+    private void writeDocument(SamlServiceProviderDocument document, DocWriteRequest.OpType opType,
+                               WriteRequest.RefreshPolicy refreshPolicy, ActionListener<PutSamlServiceProviderResponse> listener) {
+
+        final Instant now = clock.instant();
+        if (document.created == null || opType == DocWriteRequest.OpType.CREATE) {
+            document.created = now;
+        }
+        document.lastModified = now;
+        final ValidationException validationException = document.validate();
+        if (validationException != null) {
+            listener.onFailure(validationException);
+            return;
+        }
+        logger.debug("[{}] service provider [{}] in document [{}] of [{}]", opType, document.entityId, document.docId, index);
+        index.writeDocument(document, opType, refreshPolicy, ActionListener.wrap(
+            response -> listener.onResponse(new PutSamlServiceProviderResponse(
+                response.getId(),
+                response.getResult() == DocWriteResponse.Result.CREATED,
+                response.getSeqNo(),
+                response.getPrimaryTerm(),
+                document.entityId,
+                document.enabled)),
+            listener::onFailure
+        ));
+    }
+
+    private String deriveDocumentId(SamlServiceProviderDocument document) {
+        final byte[] sha256 = MessageDigests.sha256().digest(document.entityId.getBytes(StandardCharsets.UTF_8));
+        return Base64.getUrlEncoder().withoutPadding().encodeToString(sha256);
+    }
+
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/action/TransportSamlInitiateSingleSignOnAction.java

@@ -0,0 +1,146 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.idp.action;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.elasticsearch.ElasticsearchException;
+import org.elasticsearch.ElasticsearchSecurityException;
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.action.support.ActionFilters;
+import org.elasticsearch.action.support.HandledTransportAction;
+import org.elasticsearch.common.inject.Inject;
+import org.elasticsearch.rest.RestStatus;
+import org.elasticsearch.tasks.Task;
+import org.elasticsearch.transport.TransportService;
+import org.elasticsearch.xpack.core.security.SecurityContext;
+import org.elasticsearch.xpack.core.security.authc.support.SecondaryAuthentication;
+import org.elasticsearch.xpack.core.security.user.User;
+import org.elasticsearch.xpack.idp.privileges.UserPrivilegeResolver;
+import org.elasticsearch.xpack.idp.saml.authn.FailedAuthenticationResponseMessageBuilder;
+import org.elasticsearch.xpack.idp.saml.authn.SuccessfulAuthenticationResponseMessageBuilder;
+import org.elasticsearch.xpack.idp.saml.authn.UserServiceAuthentication;
+import org.elasticsearch.xpack.idp.saml.idp.SamlIdentityProvider;
+import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProvider;
+import org.elasticsearch.xpack.idp.saml.support.SamlAuthenticationState;
+import org.elasticsearch.xpack.idp.saml.support.SamlFactory;
+import org.opensaml.saml.saml2.core.Response;
+import org.opensaml.saml.saml2.core.StatusCode;
+
+import java.time.Clock;
+
+public class TransportSamlInitiateSingleSignOnAction
+    extends HandledTransportAction<SamlInitiateSingleSignOnRequest, SamlInitiateSingleSignOnResponse> {
+
+    private final Logger logger = LogManager.getLogger(TransportSamlInitiateSingleSignOnAction.class);
+
+    private final SecurityContext securityContext;
+    private final SamlIdentityProvider identityProvider;
+    private final SamlFactory samlFactory;
+    private final UserPrivilegeResolver privilegeResolver;
+
+    @Inject
+    public TransportSamlInitiateSingleSignOnAction(TransportService transportService, ActionFilters actionFilters,
+                                                   SecurityContext securityContext, SamlIdentityProvider idp, SamlFactory factory,
+                                                   UserPrivilegeResolver privilegeResolver) {
+        super(SamlInitiateSingleSignOnAction.NAME, transportService, actionFilters, SamlInitiateSingleSignOnRequest::new);
+        this.securityContext = securityContext;
+        this.identityProvider = idp;
+        this.samlFactory = factory;
+        this.privilegeResolver = privilegeResolver;
+    }
+
+    @Override
+    protected void doExecute(Task task, SamlInitiateSingleSignOnRequest request,
+                             ActionListener<SamlInitiateSingleSignOnResponse> listener) {
+        final SamlAuthenticationState authenticationState = request.getSamlAuthenticationState();
+        identityProvider.getRegisteredServiceProvider(request.getSpEntityId(), false, ActionListener.wrap(
+            sp -> {
+                if (null == sp) {
+                    final String message = "Service Provider with Entity ID [" + request.getSpEntityId()
+                        + "] is not registered with this Identity Provider";
+                    logger.debug(message);
+                    possiblyReplyWithSamlFailure(authenticationState, StatusCode.RESPONDER, new IllegalArgumentException(message),
+                        listener);
+                    return;
+                }
+                final SecondaryAuthentication secondaryAuthentication = SecondaryAuthentication.readFromContext(securityContext);
+                if (secondaryAuthentication == null) {
+                    possiblyReplyWithSamlFailure(authenticationState,
+                        StatusCode.REQUESTER,
+                        new ElasticsearchSecurityException("Request is missing secondary authentication", RestStatus.FORBIDDEN),
+                        listener);
+                    return;
+                }
+                buildUserFromAuthentication(secondaryAuthentication, sp, ActionListener.wrap(
+                    user -> {
+                        if (user == null) {
+                            possiblyReplyWithSamlFailure(authenticationState,
+                                StatusCode.REQUESTER,
+                                new ElasticsearchSecurityException("User [{}] is not permitted to access service [{}]",
+                                    RestStatus.FORBIDDEN, secondaryAuthentication.getUser(), sp),
+                                listener);
+                            return;
+                        }
+                        final SuccessfulAuthenticationResponseMessageBuilder builder =
+                            new SuccessfulAuthenticationResponseMessageBuilder(samlFactory, Clock.systemUTC(), identityProvider);
+                        try {
+                            final Response response = builder.build(user, authenticationState);
+                            listener.onResponse(new SamlInitiateSingleSignOnResponse(
+                                user.getServiceProvider().getAssertionConsumerService().toString(),
+                                samlFactory.getXmlContent(response),
+                                user.getServiceProvider().getEntityId()));
+                        } catch (ElasticsearchException e) {
+                            listener.onFailure(e);
+                        }
+                    },
+                    e -> possiblyReplyWithSamlFailure(authenticationState, StatusCode.RESPONDER, e, listener)
+                ));
+            },
+            e -> possiblyReplyWithSamlFailure(authenticationState, StatusCode.RESPONDER, e, listener)
+        ));
+    }
+
+    private void buildUserFromAuthentication(SecondaryAuthentication secondaryAuthentication, SamlServiceProvider serviceProvider,
+                                             ActionListener<UserServiceAuthentication> listener) {
+        User user = secondaryAuthentication.getUser();
+        secondaryAuthentication.execute(ignore -> {
+                privilegeResolver.resolve(serviceProvider.getPrivileges(), ActionListener.wrap(
+                    userPrivileges -> {
+                        if (userPrivileges.hasAccess == false) {
+                            listener.onResponse(null);
+                        } else {
+                            logger.debug("Resolved [{}] for [{}]", userPrivileges, user);
+                            listener.onResponse(new UserServiceAuthentication(user.principal(), user.fullName(), user.email(),
+                                userPrivileges.roles, serviceProvider));
+                        }
+                    },
+                    listener::onFailure
+                ));
+                return null;
+            }
+        );
+    }
+
+    private void possiblyReplyWithSamlFailure(SamlAuthenticationState authenticationState, String statusCode, Exception e,
+                                              ActionListener<SamlInitiateSingleSignOnResponse> listener) {
+        if (authenticationState != null) {
+            final FailedAuthenticationResponseMessageBuilder builder =
+                new FailedAuthenticationResponseMessageBuilder(samlFactory, Clock.systemUTC(), identityProvider)
+                    .setInResponseTo(authenticationState.getAuthnRequestId())
+                    .setAcsUrl(authenticationState.getRequestedAcsUrl())
+                    .setPrimaryStatusCode(statusCode);
+            final Response response = builder.build();
+            //TODO: Log and indicate SAML Response status is failure in the response
+            listener.onResponse(new SamlInitiateSingleSignOnResponse(
+                authenticationState.getRequestedAcsUrl(),
+                samlFactory.getXmlContent(response),
+                authenticationState.getEntityId()));
+        } else {
+            listener.onFailure(e);
+        }
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/action/TransportSamlMetadataAction.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.idp.action;
+
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.action.support.ActionFilters;
+import org.elasticsearch.action.support.HandledTransportAction;
+import org.elasticsearch.common.inject.Inject;
+import org.elasticsearch.tasks.Task;
+import org.elasticsearch.transport.TransportService;
+import org.elasticsearch.xpack.idp.saml.idp.SamlIdentityProvider;
+import org.elasticsearch.xpack.idp.saml.idp.SamlMetadataGenerator;
+import org.elasticsearch.xpack.idp.saml.support.SamlFactory;
+
+public class TransportSamlMetadataAction extends HandledTransportAction<SamlMetadataRequest, SamlMetadataResponse> {
+
+    private final SamlIdentityProvider identityProvider;
+    private final SamlFactory samlFactory;
+
+    @Inject
+    public TransportSamlMetadataAction(TransportService transportService, ActionFilters actionFilters,
+                                       SamlIdentityProvider idp, SamlFactory factory) {
+        super(SamlMetadataAction.NAME, transportService, actionFilters, SamlMetadataRequest::new);
+        this.identityProvider = idp;
+        this.samlFactory = factory;
+    }
+
+    @Override
+    protected void doExecute(Task task, SamlMetadataRequest request, ActionListener<SamlMetadataResponse> listener) {
+        final String spEntityId = request.getSpEntityId();
+        final SamlMetadataGenerator generator = new SamlMetadataGenerator(samlFactory, identityProvider);
+        generator.generateMetadata(spEntityId, listener);
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/action/TransportSamlValidateAuthnRequestAction.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.idp.action;
+
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.action.support.ActionFilters;
+import org.elasticsearch.action.support.HandledTransportAction;
+import org.elasticsearch.common.inject.Inject;
+import org.elasticsearch.tasks.Task;
+import org.elasticsearch.transport.TransportService;
+import org.elasticsearch.xpack.idp.saml.authn.SamlAuthnRequestValidator;
+import org.elasticsearch.xpack.idp.saml.idp.SamlIdentityProvider;
+import org.elasticsearch.xpack.idp.saml.support.SamlFactory;
+
+public class TransportSamlValidateAuthnRequestAction
+    extends HandledTransportAction<SamlValidateAuthnRequestRequest, SamlValidateAuthnRequestResponse> {
+
+    private final SamlIdentityProvider identityProvider;
+    private final SamlFactory samlFactory;
+
+    @Inject
+    public TransportSamlValidateAuthnRequestAction(TransportService transportService, ActionFilters actionFilters,
+                                                   SamlIdentityProvider idp, SamlFactory factory) {
+        super(SamlValidateAuthnRequestAction.NAME, transportService, actionFilters, SamlValidateAuthnRequestRequest::new);
+        this.identityProvider = idp;
+        this.samlFactory = factory;
+    }
+
+    @Override
+    protected void doExecute(Task task, SamlValidateAuthnRequestRequest request,
+                             ActionListener<SamlValidateAuthnRequestResponse> listener) {
+        final SamlAuthnRequestValidator validator = new SamlAuthnRequestValidator(samlFactory, identityProvider);
+        try {
+            validator.processQueryString(request.getQueryString(), listener);
+        } catch (Exception e) {
+            listener.onFailure(e);
+        }
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/authc/AuthenticationMethod.java

@@ -0,0 +1,17 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.idp.authc;
+
+/**
+ * Denotes support authentication methods for users
+ */
+public enum AuthenticationMethod {
+    PASSWORD,
+    KERBEROS,
+    TLS_CLIENT_AUTH,
+    PRIOR_SESSION,
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/authc/NetworkControl.java

@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.idp.authc;
+
+/**
+ * Denotes network based controls that were applied during authentication of a user
+ */
+public enum NetworkControl {
+    IP_FILTER,
+    TLS,
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/privileges/ServiceProviderPrivileges.java

@@ -0,0 +1,55 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.idp.privileges;
+
+import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
+import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilegeDescriptor;
+
+import java.util.Map;
+import java.util.Objects;
+
+public class ServiceProviderPrivileges {
+
+    private final String applicationName;
+    private final String resource;
+    private final Map<String, String> roles;
+
+    public ServiceProviderPrivileges(String applicationName, String resource, Map<String, String> roles) {
+        this.applicationName = Objects.requireNonNull(applicationName, "Application name cannot be null");
+        this.resource = Objects.requireNonNull(resource, "Resource cannot be null");
+        this.roles = Map.copyOf(roles);
+    }
+
+    /**
+     * Returns the "application" (see {@link RoleDescriptor.ApplicationResourcePrivileges#getApplication()}) in the IdP's security cluster
+     * under which this service provider is defined.
+     */
+    public String getApplicationName() {
+        return applicationName;
+    }
+
+    /**
+     * Returns the "resource" (see {@link RoleDescriptor.ApplicationResourcePrivileges#getResources()}) that represents this
+     * Service Provider in the IdP's security cluster.
+     */
+    public String getResource() {
+        return resource;
+    }
+
+    /**
+     * Returns a mapping from "role name" (key) to "{@link ApplicationPrivilegeDescriptor#getActions() action name}" (value)
+     * that represents the roles that should be exposed to this Service Provider.
+     * The "role name" (but not the action name) will be provided to the service provider.
+     * These roles have no semantic meaning within the IdP, they are simply metadata that we pass to the Service Provider. They may not
+     * have any relationship to the roles that the user has in this cluster, and the service provider may refer to them using a different
+     * terminology (e.g. "groups").
+     * The actions will be resolved as application privileges from the IdP's security cluster.
+     */
+    public Map<String, String> getRoleActions() {
+        return roles;
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/privileges/UserPrivilegeResolver.java

@@ -0,0 +1,127 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.idp.privileges;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.client.Client;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.xpack.core.security.SecurityContext;
+import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesAction;
+import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesRequest;
+import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesResponse;
+import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
+import org.elasticsearch.xpack.core.security.authz.permission.ResourcePrivileges;
+
+import java.util.Map;
+import java.util.Objects;
+import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+/**
+ * Determines what privileges a user has within a given {@link ServiceProviderPrivileges service}.
+ */
+public class UserPrivilegeResolver {
+
+    public static class UserPrivileges {
+        public final String principal;
+        public final boolean hasAccess;
+        public final Set<String> roles;
+
+        public UserPrivileges(String principal, boolean hasAccess, Set<String> roles) {
+            this.principal = Objects.requireNonNull(principal, "principal may not be null");
+            if (hasAccess == false && roles.isEmpty() == false) {
+                throw new IllegalArgumentException("a user without access ([" + hasAccess + "]) may not have roles ([" + roles + "])");
+            }
+            this.hasAccess = hasAccess;
+            this.roles = Set.copyOf(Objects.requireNonNull(roles, "roles may not be null"));
+        }
+
+        @Override
+        public String toString() {
+            StringBuilder str = new StringBuilder()
+                .append(getClass().getSimpleName())
+                .append("{")
+                .append(principal)
+                .append(", ")
+                .append(hasAccess);
+            if (hasAccess) {
+                str.append(", ").append(roles);
+            }
+            str.append("}");
+            return str.toString();
+        }
+
+        public static UserPrivileges noAccess(String principal) {
+            return new UserPrivileges(principal, false, Set.of());
+        }
+    }
+
+    private final Logger logger = LogManager.getLogger();
+    private final Client client;
+    private final SecurityContext securityContext;
+
+    public UserPrivilegeResolver(Client client, SecurityContext securityContext) {
+        this.client = client;
+        this.securityContext = securityContext;
+    }
+
+    /**
+     * Resolves the user's privileges for the specified service.
+     * Requires that the active user is set in the {@link org.elasticsearch.xpack.core.security.SecurityContext}.
+     */
+    public void resolve(ServiceProviderPrivileges service, ActionListener<UserPrivileges> listener) {
+        HasPrivilegesRequest request = new HasPrivilegesRequest();
+        final String username = securityContext.requireUser().principal();
+        request.username(username);
+        request.applicationPrivileges(buildResourcePrivilege(service));
+        request.clusterPrivileges(Strings.EMPTY_ARRAY);
+        request.indexPrivileges(new RoleDescriptor.IndicesPrivileges[0]);
+        client.execute(HasPrivilegesAction.INSTANCE, request, ActionListener.wrap(
+            response -> {
+                logger.debug("Checking access for user [{}] to application [{}] resource [{}]",
+                    username, service.getApplicationName(), service.getResource());
+                UserPrivileges privileges = buildResult(response, service);
+                logger.debug("Resolved service privileges [{}]", privileges);
+                listener.onResponse(privileges);
+            },
+            listener::onFailure
+        ));
+    }
+
+    private UserPrivileges buildResult(HasPrivilegesResponse response, ServiceProviderPrivileges service) {
+        final Set<ResourcePrivileges> appPrivileges = response.getApplicationPrivileges().get(service.getApplicationName());
+        if (appPrivileges == null || appPrivileges.isEmpty()) {
+            return UserPrivileges.noAccess(response.getUsername());
+        }
+        final Set<String> roles = service.getRoleActions().entrySet().stream()
+            .filter(entry -> checkAccess(appPrivileges, entry.getValue(), service.getResource()))
+            .map(Map.Entry::getKey)
+            .collect(Collectors.toUnmodifiableSet());
+        final boolean hasAccess = roles.isEmpty() == false;
+        return new UserPrivileges(response.getUsername(), hasAccess, roles);
+    }
+
+    private boolean checkAccess(Set<ResourcePrivileges> userPrivileges, String action, String resource) {
+        final Optional<ResourcePrivileges> match = userPrivileges.stream()
+            .filter(rp -> rp.getResource().equals(resource))
+            .filter(rp -> rp.isAllowed(action))
+            .findAny();
+        match.ifPresent(rp -> logger.debug("User has access to [{} on {}] via [{}]", action, resource, rp));
+        return match.isPresent();
+    }
+
+    private RoleDescriptor.ApplicationResourcePrivileges buildResourcePrivilege(ServiceProviderPrivileges service) {
+        final RoleDescriptor.ApplicationResourcePrivileges.Builder builder = RoleDescriptor.ApplicationResourcePrivileges.builder();
+        builder.application(service.getApplicationName());
+        builder.resources(service.getResource());
+        builder.privileges(service.getRoleActions().values());
+        return builder.build();
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/authn/FailedAuthenticationResponseMessageBuilder.java

@@ -0,0 +1,108 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.idp.saml.authn;
+
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.xpack.idp.saml.idp.SamlIdentityProvider;
+import org.elasticsearch.xpack.idp.saml.support.SamlFactory;
+import org.elasticsearch.xpack.idp.saml.support.SamlInit;
+import org.joda.time.DateTime;
+import org.joda.time.DateTimeZone;
+import org.opensaml.saml.saml2.core.Issuer;
+import org.opensaml.saml.saml2.core.Response;
+import org.opensaml.saml.saml2.core.Status;
+import org.opensaml.saml.saml2.core.StatusCode;
+import org.opensaml.saml.saml2.core.StatusMessage;
+
+import java.time.Clock;
+
+public class FailedAuthenticationResponseMessageBuilder {
+
+    private final Clock clock;
+    private final SamlFactory samlFactory;
+    private final SamlIdentityProvider idp;
+    private String primaryStatusCode;
+    private String statusMessage;
+    private String acsUrl;
+    private String inResponseTo;
+    private String secondaryStatusCode;
+
+    public FailedAuthenticationResponseMessageBuilder(SamlFactory samlFactory, Clock clock, SamlIdentityProvider idp) {
+        SamlInit.initialize();
+        this.samlFactory = samlFactory;
+        this.clock = clock;
+        this.idp = idp;
+        this.primaryStatusCode = StatusCode.REQUESTER;
+    }
+
+    public FailedAuthenticationResponseMessageBuilder setAcsUrl(String acsUrl) {
+        this.acsUrl = acsUrl;
+        return this;
+    }
+
+    public FailedAuthenticationResponseMessageBuilder setPrimaryStatusCode(String primaryStatusCode) {
+        this.primaryStatusCode = primaryStatusCode;
+        return this;
+    }
+
+    public FailedAuthenticationResponseMessageBuilder setStatusMessage(String statusMessage) {
+        this.statusMessage = statusMessage;
+        return this;
+    }
+
+    public FailedAuthenticationResponseMessageBuilder setSecondaryStatusCode(String secondaryStatusCode) {
+        this.secondaryStatusCode = secondaryStatusCode;
+        return this;
+    }
+
+    public FailedAuthenticationResponseMessageBuilder setInResponseTo(String inResponseTo) {
+        this.inResponseTo = inResponseTo;
+        return this;
+    }
+
+    public Response build() {
+        final DateTime now = now();
+        final Response response = samlFactory.object(Response.class, Response.DEFAULT_ELEMENT_NAME);
+        response.setID(samlFactory.secureIdentifier());
+        response.setInResponseTo(inResponseTo);
+        response.setIssuer(buildIssuer());
+        response.setIssueInstant(now);
+        response.setStatus(buildStatus());
+        response.setDestination(acsUrl);
+        return response;
+    }
+
+    private Issuer buildIssuer() {
+        final Issuer issuer = samlFactory.object(Issuer.class, Issuer.DEFAULT_ELEMENT_NAME);
+        issuer.setValue(this.idp.getEntityId());
+        return issuer;
+    }
+
+    private Status buildStatus() {
+        final StatusCode firstLevelCode = samlFactory.object(StatusCode.class, StatusCode.DEFAULT_ELEMENT_NAME);
+        firstLevelCode.setValue(primaryStatusCode);
+
+        if (Strings.hasText(secondaryStatusCode)) {
+            final StatusCode secondLevelCode = samlFactory.object(StatusCode.class, StatusCode.DEFAULT_ELEMENT_NAME);
+            secondLevelCode.setValue(secondaryStatusCode);
+            firstLevelCode.setStatusCode(secondLevelCode);
+        }
+
+        final Status status = samlFactory.object(Status.class, Status.DEFAULT_ELEMENT_NAME);
+        if (Strings.hasText(statusMessage)) {
+            final StatusMessage firstLevelMessage = samlFactory.object(StatusMessage.class, StatusMessage.DEFAULT_ELEMENT_NAME);
+            firstLevelMessage.setMessage(statusMessage);
+            status.setStatusMessage(firstLevelMessage);
+        }
+        status.setStatusCode(firstLevelCode);
+        return status;
+    }
+
+    private DateTime now() {
+        return new DateTime(clock.millis(), DateTimeZone.UTC);
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/authn/SamlAuthnRequestValidator.java

@@ -0,0 +1,354 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.idp.saml.authn;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.apache.logging.log4j.message.ParameterizedMessage;
+import org.elasticsearch.ElasticsearchSecurityException;
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.common.Nullable;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.core.internal.io.Streams;
+import org.elasticsearch.rest.RestStatus;
+import org.elasticsearch.rest.RestUtils;
+import org.elasticsearch.xpack.idp.action.SamlValidateAuthnRequestResponse;
+import org.elasticsearch.xpack.idp.saml.idp.SamlIdentityProvider;
+import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProvider;
+import org.elasticsearch.xpack.idp.saml.support.SamlAuthenticationState;
+import org.elasticsearch.xpack.idp.saml.support.SamlFactory;
+import org.elasticsearch.xpack.idp.saml.support.SamlInit;
+import org.opensaml.saml.saml2.core.AuthnRequest;
+import org.opensaml.saml.saml2.core.Issuer;
+import org.opensaml.saml.saml2.core.NameIDPolicy;
+import org.opensaml.security.x509.X509Credential;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.xml.sax.SAXException;
+
+import javax.xml.parsers.DocumentBuilder;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.Signature;
+import java.security.SignatureException;
+import java.util.Base64;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Set;
+import java.util.zip.Inflater;
+import java.util.zip.InflaterInputStream;
+
+import static org.opensaml.saml.common.xml.SAMLConstants.SAML2_REDIRECT_BINDING_URI;
+import static org.opensaml.saml.saml2.core.NameIDType.UNSPECIFIED;
+
+/**
+ * Processes a SAML AuthnRequest, validates it, extracts necessary information and returns a {@link SamlValidateAuthnRequestResponse}
+ */
+public class SamlAuthnRequestValidator {
+
+    private final SamlFactory samlFactory;
+    private final SamlIdentityProvider idp;
+    private final Logger logger = LogManager.getLogger(SamlAuthnRequestValidator.class);
+    private static final String[] XSD_FILES = new String[]{"/org/elasticsearch/xpack/idp/saml/support/saml-schema-protocol-2.0.xsd",
+        "/org/elasticsearch/xpack/idp/saml/support/saml-schema-assertion-2.0.xsd",
+        "/org/elasticsearch/xpack/idp/saml/support/xenc-schema.xsd",
+        "/org/elasticsearch/xpack/idp/saml/support/xmldsig-core-schema.xsd"};
+
+    private static final ThreadLocal<DocumentBuilder> THREAD_LOCAL_DOCUMENT_BUILDER = ThreadLocal.withInitial(() -> {
+        try {
+            return SamlFactory.getHardenedBuilder(XSD_FILES);
+        } catch (Exception e) {
+            throw new ElasticsearchSecurityException("Could not load XSD schema file", e);
+        }
+    });
+
+    public SamlAuthnRequestValidator(SamlFactory samlFactory, SamlIdentityProvider idp) {
+        SamlInit.initialize();
+        this.samlFactory = samlFactory;
+        this.idp = idp;
+    }
+
+    public void processQueryString(String queryString, ActionListener<SamlValidateAuthnRequestResponse> listener) {
+
+        final ParsedQueryString parsedQueryString;
+        try {
+            parsedQueryString = parseQueryString(queryString);
+        } catch (ElasticsearchSecurityException e) {
+            logger.debug("Failed to parse query string for SAML AuthnRequest", e);
+            listener.onFailure(e);
+            return;
+        }
+
+        try {
+            // We consciously parse the AuthnRequest before we validate its signature as we need to get the Issuer, in order to
+            // verify if we know of this SP and get its credentials for signature verification
+            final Element root = parseSamlMessage(inflate(decodeBase64(parsedQueryString.samlRequest)));
+            if (samlFactory.elementNameMatches(root, "urn:oasis:names:tc:SAML:2.0:protocol", "AuthnRequest") == false) {
+                logAndRespond(new ParameterizedMessage("SAML message [{}] is not an AuthnRequest", samlFactory.text(root, 128)), listener);
+                return;
+            }
+            final AuthnRequest authnRequest = samlFactory.buildXmlObject(root, AuthnRequest.class);
+            getSpFromIssuer(authnRequest.getIssuer(), ActionListener.wrap(
+                sp -> {
+                    try {
+                        validateAuthnRequest(authnRequest, sp, parsedQueryString, listener);
+                    } catch (ElasticsearchSecurityException e) {
+                        logger.debug("Could not validate AuthnRequest", e);
+                        listener.onFailure(e);
+                    } catch (Exception e) {
+                        logAndRespond("Could not validate AuthnRequest", e, listener);
+                    }
+                },
+                listener::onFailure
+            ));
+        } catch (ElasticsearchSecurityException e) {
+            logger.debug("Could not process AuthnRequest", e);
+            listener.onFailure(e);
+        } catch (Exception e) {
+            logAndRespond("Could not process AuthnRequest", e, listener);
+        }
+    }
+
+    private ParsedQueryString parseQueryString(String queryString) throws ElasticsearchSecurityException {
+
+        final Map<String, String> parameters = new HashMap<>();
+        RestUtils.decodeQueryString(queryString, 0, parameters);
+        if (parameters.isEmpty()) {
+            throw new ElasticsearchSecurityException("Invalid Authentication Request query string (zero parameters)");
+        }
+        logger.trace(new ParameterizedMessage("Parsed the following parameters from the query string: {}", parameters));
+        final String samlRequest = parameters.get("SAMLRequest");
+        if (null == samlRequest) {
+            throw new ElasticsearchSecurityException("Query string [{}] does not contain a SAMLRequest parameter",
+                RestStatus.BAD_REQUEST, queryString);
+        }
+        return new ParsedQueryString(
+            queryString,
+            samlRequest,
+            parameters.get("RelayState"),
+            parameters.get("SigAlg"),
+            parameters.get("Signature"));
+    }
+
+    private void validateAuthnRequest(AuthnRequest authnRequest, SamlServiceProvider sp, ParsedQueryString parsedQueryString,
+                                         ActionListener<SamlValidateAuthnRequestResponse> listener) {
+        // If the Service Provider should not sign requests, do not try to handle signatures even if they are added to the request
+        if (sp.shouldSignAuthnRequests()) {
+            if (Strings.hasText(parsedQueryString.signature)) {
+                if (Strings.hasText(parsedQueryString.sigAlg) == false) {
+                    logAndRespond(new ParameterizedMessage("Query string [{}] contains a Signature but SigAlg parameter is missing",
+                        parsedQueryString.queryString), listener);
+                    return;
+                }
+                final Set<X509Credential> spSigningCredentials = sp.getSpSigningCredentials();
+                if (spSigningCredentials == null || spSigningCredentials.isEmpty()) {
+                    logAndRespond(new ParameterizedMessage("Unable to validate signature of authentication request, " +
+                        "Service Provider [{}] hasn't registered signing credentials", sp.getEntityId()), listener);
+                    return;
+                }
+                if (validateSignature(parsedQueryString, spSigningCredentials) == false) {
+                    logAndRespond(
+                        new ParameterizedMessage("Unable to validate signature of authentication request [{}] using credentials [{}]",
+                            parsedQueryString.queryString, samlFactory.describeCredentials(spSigningCredentials)), listener);
+                    return;
+                }
+            } else if (Strings.hasText(parsedQueryString.sigAlg)) {
+                logAndRespond(new ParameterizedMessage("Query string [{}] contains a SigAlg parameter but Signature is missing",
+                    parsedQueryString.queryString), listener);
+                return;
+            } else {
+                logAndRespond(
+                    new ParameterizedMessage(
+                        "The Service Provider [{}] must sign authentication requests but no signature was found", sp.getEntityId()),
+                    listener);
+                return;
+            }
+        }
+        final Map<String, Object> authnState = new HashMap<>();
+        checkDestination(authnRequest);
+        checkAcs(authnRequest, sp, authnState);
+        validateNameIdPolicy(authnRequest, sp, authnState);
+        authnState.put(SamlAuthenticationState.Fields.ENTITY_ID.getPreferredName(), sp.getEntityId());
+        authnState.put(SamlAuthenticationState.Fields.AUTHN_REQUEST_ID.getPreferredName(), authnRequest.getID());
+        final SamlValidateAuthnRequestResponse response = new SamlValidateAuthnRequestResponse(sp.getEntityId(),
+            authnRequest.isForceAuthn(), authnState);
+        logger.trace(new ParameterizedMessage("Validated AuthnResponse from queryString [{}] and extracted [{}]",
+            parsedQueryString.queryString, response));
+        listener.onResponse(response);
+    }
+
+    private void validateNameIdPolicy(AuthnRequest request, SamlServiceProvider sp, Map<String, Object> authnState) {
+        final NameIDPolicy nameIDPolicy = request.getNameIDPolicy();
+        if (null != nameIDPolicy) {
+            final String requestedFormat = nameIDPolicy.getFormat();
+            final String allowedFormat = sp.getAllowedNameIdFormat();
+            if (Strings.hasText(requestedFormat)) {
+                if (allowedFormat != null && requestedFormat.equals(UNSPECIFIED) == false
+                    && requestedFormat.equals(allowedFormat) == false) {
+                    throw new ElasticsearchSecurityException("The requested NameID format [{}] doesn't match the allowed NameID format" +
+                        " for this Service Provider which is [{}]", requestedFormat, sp.getAllowedNameIdFormat());
+                } else {
+                    authnState.put(SamlAuthenticationState.Fields.NAMEID_FORMAT.getPreferredName(), requestedFormat);
+                }
+            }
+        }
+    }
+
+    private boolean validateSignature(ParsedQueryString queryString, Collection<X509Credential> credentials) {
+        final String javaSigAlgorithm = samlFactory.getJavaAlorithmNameFromUri(queryString.sigAlg);
+        final byte[] contentBytes = queryString.reconstructQueryParameters().getBytes(StandardCharsets.UTF_8);
+        final byte[] signatureBytes = Base64.getDecoder().decode(queryString.signature);
+        return credentials.stream().anyMatch(credential -> {
+            try {
+                Signature sig = Signature.getInstance(javaSigAlgorithm);
+                sig.initVerify(credential.getEntityCertificate().getPublicKey());
+                sig.update(contentBytes);
+                return sig.verify(signatureBytes);
+            } catch (NoSuchAlgorithmException e) {
+                throw new ElasticsearchSecurityException("Java signature algorithm [{}] is not available for SAML/XML-Sig algorithm [{}]",
+                    e, javaSigAlgorithm, queryString.sigAlg);
+            } catch (InvalidKeyException | SignatureException e) {
+                logger.warn(new ParameterizedMessage("Signature verification failed for credential [{}]",
+                    samlFactory.describeCredentials(Set.of(credential))), e);
+                return false;
+            }
+        });
+    }
+
+    private void getSpFromIssuer(Issuer issuer, ActionListener<SamlServiceProvider> listener) {
+        if (issuer == null || issuer.getValue() == null) {
+            throw new ElasticsearchSecurityException("SAML authentication request has no issuer", RestStatus.BAD_REQUEST);
+        }
+        final String issuerString = issuer.getValue();
+        idp.getRegisteredServiceProvider(issuerString, false, ActionListener.wrap(
+            serviceProvider -> {
+                if (null == serviceProvider) {
+                    throw new ElasticsearchSecurityException(
+                        "Service Provider with Entity ID [{}] is not registered with this Identity Provider", RestStatus.BAD_REQUEST,
+                        issuerString);
+                }
+                listener.onResponse(serviceProvider);
+            },
+            listener::onFailure
+        ));
+    }
+
+    private void checkDestination(AuthnRequest request) {
+        final String url = idp.getSingleSignOnEndpoint(SAML2_REDIRECT_BINDING_URI).toString();
+        if (url.equals(request.getDestination()) == false) {
+            throw new ElasticsearchSecurityException(
+                "SAML authentication request [{}] is for destination [{}] but the SSO endpoint of this Identity Provider is [{}]",
+                RestStatus.BAD_REQUEST, request.getID(), request.getDestination(), url);
+        }
+    }
+
+    private void checkAcs(AuthnRequest request, SamlServiceProvider sp, Map<String, Object> authnState) {
+        final String acs = request.getAssertionConsumerServiceURL();
+        if (Strings.hasText(acs) == false) {
+            final String message = request.getAssertionConsumerServiceIndex() == null ?
+                "SAML authentication does not contain an AssertionConsumerService URL" :
+                "SAML authentication does not contain an AssertionConsumerService URL. It contains an Assertion Consumer Service Index " +
+                    "but this IDP doesn't support multiple AssertionConsumerService URLs.";
+            throw new ElasticsearchSecurityException(message, RestStatus.BAD_REQUEST);
+        }
+        if (acs.equals(sp.getAssertionConsumerService().toString()) == false) {
+            throw new ElasticsearchSecurityException("The registered ACS URL for this Service Provider is [{}] but the authentication " +
+                "request contained [{}]", RestStatus.BAD_REQUEST, sp.getAssertionConsumerService(), acs);
+        }
+        authnState.put(SamlAuthenticationState.Fields.ACS_URL.getPreferredName(), acs);
+    }
+
+    protected Element parseSamlMessage(byte[] content) {
+        final Element root;
+        try (ByteArrayInputStream input = new ByteArrayInputStream(content)) {
+            // This will parse and validate the input against the schemas
+            final Document doc = THREAD_LOCAL_DOCUMENT_BUILDER.get().parse(input);
+            root = doc.getDocumentElement();
+            if (logger.isTraceEnabled()) {
+                logger.trace("Received SAML Message: {} \n", samlFactory.toString(root, true));
+            }
+        } catch (SAXException | IOException e) {
+            throw new ElasticsearchSecurityException("Failed to parse SAML message", RestStatus.BAD_REQUEST, e);
+        }
+        return root;
+    }
+
+    private byte[] decodeBase64(String content) {
+        try {
+            return Base64.getDecoder().decode(content.replaceAll("\\s+", ""));
+        } catch (IllegalArgumentException e) {
+            logger.info("Failed to decode base64 string [{}] - {}", content, e);
+            throw new ElasticsearchSecurityException("SAML message cannot be Base64 decoded", RestStatus.BAD_REQUEST, e);
+        }
+    }
+
+    private byte[] inflate(byte[] bytes) {
+        Inflater inflater = new Inflater(true);
+        try (ByteArrayInputStream in = new ByteArrayInputStream(bytes);
+             InflaterInputStream inflate = new InflaterInputStream(in, inflater);
+             ByteArrayOutputStream out = new ByteArrayOutputStream(bytes.length * 3 / 2)) {
+            Streams.copy(inflate, out);
+            return out.toByteArray();
+        } catch (IOException e) {
+            throw new ElasticsearchSecurityException("SAML message cannot be inflated", RestStatus.BAD_REQUEST, e);
+        }
+    }
+
+    private String urlEncode(String param) throws UnsupportedEncodingException {
+        return URLEncoder.encode(param, StandardCharsets.UTF_8.name());
+    }
+
+    private void logAndRespond(String message, ActionListener<SamlValidateAuthnRequestResponse> listener) {
+        logger.debug(message);
+        listener.onFailure(new ElasticsearchSecurityException(message));
+    }
+
+    private void logAndRespond(ParameterizedMessage message, ActionListener<SamlValidateAuthnRequestResponse> listener) {
+        logAndRespond(message.getFormattedMessage(), listener);
+    }
+
+    private void logAndRespond(String message, Throwable e, ActionListener<SamlValidateAuthnRequestResponse> listener) {
+        logger.debug(message);
+        listener.onFailure(new ElasticsearchSecurityException(message, e));
+    }
+
+    private class ParsedQueryString {
+        private final String queryString;
+        private final String samlRequest;
+        @Nullable
+        private final String relayState;
+        @Nullable
+        private final String sigAlg;
+        @Nullable
+        private final String signature;
+
+        private ParsedQueryString(String queryString, String samlRequest, String relayState, String sigAlg, String signature) {
+            this.queryString = Objects.requireNonNull(queryString, "Query string may not be null");
+            this.samlRequest = Objects.requireNonNull(samlRequest, "SAML request parameter may not be null");
+            this.relayState = relayState;
+            this.sigAlg = sigAlg;
+            this.signature = signature;
+        }
+
+        public String reconstructQueryParameters() throws ElasticsearchSecurityException {
+            try {
+                return relayState == null ?
+                    "SAMLRequest=" + urlEncode(samlRequest) + "&SigAlg=" + urlEncode(sigAlg) :
+                    "SAMLRequest=" + urlEncode(samlRequest) + "&RelayState=" + urlEncode(relayState) + "&SigAlg=" + urlEncode(sigAlg);
+            } catch (UnsupportedEncodingException e) {
+                throw new ElasticsearchSecurityException("Cannot reconstruct query for signature verification", e);
+            }
+        }
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/authn/SuccessfulAuthenticationResponseMessageBuilder.java

@@ -0,0 +1,274 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.idp.saml.authn;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.elasticsearch.common.Nullable;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.xpack.idp.authc.AuthenticationMethod;
+import org.elasticsearch.xpack.idp.authc.NetworkControl;
+import org.elasticsearch.xpack.idp.saml.idp.SamlIdentityProvider;
+import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProvider;
+import org.elasticsearch.xpack.idp.saml.support.SamlAuthenticationState;
+import org.elasticsearch.xpack.idp.saml.support.SamlFactory;
+import org.elasticsearch.xpack.idp.saml.support.SamlInit;
+import org.elasticsearch.xpack.idp.saml.support.SamlObjectSigner;
+import org.joda.time.DateTime;
+import org.joda.time.DateTimeZone;
+import org.opensaml.core.xml.schema.XSString;
+import org.opensaml.saml.saml2.core.Assertion;
+import org.opensaml.saml.saml2.core.Attribute;
+import org.opensaml.saml.saml2.core.AttributeStatement;
+import org.opensaml.saml.saml2.core.AttributeValue;
+import org.opensaml.saml.saml2.core.Audience;
+import org.opensaml.saml.saml2.core.AudienceRestriction;
+import org.opensaml.saml.saml2.core.AuthnContext;
+import org.opensaml.saml.saml2.core.AuthnContextClassRef;
+import org.opensaml.saml.saml2.core.AuthnStatement;
+import org.opensaml.saml.saml2.core.Conditions;
+import org.opensaml.saml.saml2.core.Issuer;
+import org.opensaml.saml.saml2.core.NameID;
+import org.opensaml.saml.saml2.core.Response;
+import org.opensaml.saml.saml2.core.Status;
+import org.opensaml.saml.saml2.core.StatusCode;
+import org.opensaml.saml.saml2.core.Subject;
+import org.opensaml.saml.saml2.core.SubjectConfirmation;
+import org.opensaml.saml.saml2.core.SubjectConfirmationData;
+
+import java.time.Clock;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+import java.util.Set;
+
+import static org.opensaml.saml.saml2.core.NameIDType.TRANSIENT;
+
+/**
+ * Builds SAML 2.0 {@link Response} objects for successful authentication results.
+ */
+public class SuccessfulAuthenticationResponseMessageBuilder {
+
+    private final Logger logger = LogManager.getLogger();
+
+    private final Clock clock;
+    private final SamlIdentityProvider idp;
+    private final SamlFactory samlFactory;
+
+    public SuccessfulAuthenticationResponseMessageBuilder(SamlFactory samlFactory, Clock clock, SamlIdentityProvider idp) {
+        SamlInit.initialize();
+        this.samlFactory = samlFactory;
+        this.clock = clock;
+        this.idp = idp;
+    }
+
+    public Response build(UserServiceAuthentication user, @Nullable SamlAuthenticationState authnState) {
+        logger.debug("Building success response for [{}] from [{}]", user, authnState);
+        final DateTime now = now();
+        final SamlServiceProvider serviceProvider = user.getServiceProvider();
+
+        final Response response = samlFactory.object(Response.class, Response.DEFAULT_ELEMENT_NAME);
+        response.setID(samlFactory.secureIdentifier());
+        if (authnState != null && authnState.getAuthnRequestId() != null) {
+            response.setInResponseTo(authnState.getAuthnRequestId());
+        }
+        response.setIssuer(buildIssuer());
+        response.setIssueInstant(now);
+        response.setStatus(buildStatus());
+        response.setDestination(serviceProvider.getAssertionConsumerService().toString());
+
+        final Assertion assertion = samlFactory.object(Assertion.class, Assertion.DEFAULT_ELEMENT_NAME);
+        assertion.setID(samlFactory.secureIdentifier());
+        assertion.setIssuer(buildIssuer());
+        assertion.setIssueInstant(now);
+        assertion.setConditions(buildConditions(now, serviceProvider));
+        assertion.setSubject(buildSubject(now, user, authnState));
+        assertion.getAuthnStatements().add(buildAuthnStatement(now, user));
+        final AttributeStatement attributes = buildAttributes(user);
+        if (attributes != null) {
+            assertion.getAttributeStatements().add(attributes);
+        }
+        response.getAssertions().add(assertion);
+        return sign(response);
+    }
+
+    private Response sign(Response response) {
+        final SamlObjectSigner signer = new SamlObjectSigner(samlFactory, idp);
+        return samlFactory.buildXmlObject(signer.sign(response), Response.class);
+    }
+
+    private Conditions buildConditions(DateTime now, SamlServiceProvider serviceProvider) {
+        final Audience spAudience = samlFactory.object(Audience.class, Audience.DEFAULT_ELEMENT_NAME);
+        spAudience.setAudienceURI(serviceProvider.getEntityId());
+
+        final AudienceRestriction restriction = samlFactory.object(AudienceRestriction.class, AudienceRestriction.DEFAULT_ELEMENT_NAME);
+        restriction.getAudiences().add(spAudience);
+
+        final Conditions conditions = samlFactory.object(Conditions.class, Conditions.DEFAULT_ELEMENT_NAME);
+        conditions.setNotBefore(now);
+        conditions.setNotOnOrAfter(now.plus(serviceProvider.getAuthnExpiry()));
+        conditions.getAudienceRestrictions().add(restriction);
+        return conditions;
+    }
+
+    private DateTime now() {
+        return new DateTime(clock.millis(), DateTimeZone.UTC);
+    }
+
+    private Subject buildSubject(DateTime now, UserServiceAuthentication user, SamlAuthenticationState authnState) {
+        final SamlServiceProvider serviceProvider = user.getServiceProvider();
+
+        final NameID nameID = buildNameId(user, authnState);
+
+        final Subject subject = samlFactory.object(Subject.class, Subject.DEFAULT_ELEMENT_NAME);
+        subject.setNameID(nameID);
+
+        final SubjectConfirmationData data = samlFactory.object(SubjectConfirmationData.class,
+            SubjectConfirmationData.DEFAULT_ELEMENT_NAME);
+        if (authnState != null && authnState.getAuthnRequestId() != null) {
+            data.setInResponseTo(authnState.getAuthnRequestId());
+        }
+        data.setNotBefore(now);
+        data.setNotOnOrAfter(now.plus(serviceProvider.getAuthnExpiry()));
+        data.setRecipient(serviceProvider.getAssertionConsumerService().toString());
+
+        final SubjectConfirmation confirmation = samlFactory.object(SubjectConfirmation.class, SubjectConfirmation.DEFAULT_ELEMENT_NAME);
+        confirmation.setMethod(SubjectConfirmation.METHOD_BEARER);
+        confirmation.setSubjectConfirmationData(data);
+
+        subject.getSubjectConfirmations().add(confirmation);
+        return subject;
+    }
+
+    private AuthnStatement buildAuthnStatement(DateTime now, UserServiceAuthentication user) {
+        final SamlServiceProvider serviceProvider = user.getServiceProvider();
+        final AuthnStatement statement = samlFactory.object(AuthnStatement.class, AuthnStatement.DEFAULT_ELEMENT_NAME);
+        statement.setAuthnInstant(now);
+        statement.setSessionNotOnOrAfter(now.plus(serviceProvider.getAuthnExpiry()));
+
+        final AuthnContext context = samlFactory.object(AuthnContext.class, AuthnContext.DEFAULT_ELEMENT_NAME);
+        final AuthnContextClassRef classRef = samlFactory.object(AuthnContextClassRef.class, AuthnContextClassRef.DEFAULT_ELEMENT_NAME);
+        classRef.setAuthnContextClassRef(resolveAuthnClass(user.getAuthenticationMethods(), user.getNetworkControls()));
+        context.setAuthnContextClassRef(classRef);
+        statement.setAuthnContext(context);
+
+        return statement;
+    }
+
+    private String resolveAuthnClass(Set<AuthenticationMethod> authenticationMethods, Set<NetworkControl> networkControls) {
+        if (authenticationMethods.contains(AuthenticationMethod.PASSWORD)) {
+            if (networkControls.contains(NetworkControl.IP_FILTER)) {
+                return AuthnContext.IP_PASSWORD_AUTHN_CTX;
+            } else if (networkControls.contains(NetworkControl.TLS)) {
+                return AuthnContext.PPT_AUTHN_CTX;
+            } else {
+                return AuthnContext.PASSWORD_AUTHN_CTX;
+            }
+        } else if (authenticationMethods.contains(AuthenticationMethod.KERBEROS)) {
+            return AuthnContext.KERBEROS_AUTHN_CTX;
+        } else if (authenticationMethods.contains(AuthenticationMethod.TLS_CLIENT_AUTH) && networkControls.contains(NetworkControl.TLS)) {
+            return AuthnContext.TLS_CLIENT_AUTHN_CTX;
+        } else if (authenticationMethods.contains(AuthenticationMethod.PRIOR_SESSION)) {
+            return AuthnContext.PREVIOUS_SESSION_AUTHN_CTX;
+        } else if (networkControls.contains(NetworkControl.IP_FILTER)) {
+            return AuthnContext.IP_AUTHN_CTX;
+        } else {
+            return AuthnContext.UNSPECIFIED_AUTHN_CTX;
+        }
+    }
+
+    private AttributeStatement buildAttributes(UserServiceAuthentication user) {
+        final SamlServiceProvider serviceProvider = user.getServiceProvider();
+        final AttributeStatement statement = samlFactory.object(AttributeStatement.class, AttributeStatement.DEFAULT_ELEMENT_NAME);
+        final List<Attribute> attributes = new ArrayList<>();
+        final Attribute roles = buildAttribute(serviceProvider.getAttributeNames().roles, "roles", user.getRoles());
+        if (roles != null) {
+            attributes.add(roles);
+        }
+        final Attribute principal = buildAttribute(serviceProvider.getAttributeNames().principal, "principal", user.getPrincipal());
+        if (principal != null) {
+            attributes.add(principal);
+        }
+        final Attribute email = buildAttribute(serviceProvider.getAttributeNames().email, "email", user.getEmail());
+        if (email != null) {
+            attributes.add(email);
+        }
+        final Attribute name = buildAttribute(serviceProvider.getAttributeNames().name, "name", user.getName());
+        if (name != null) {
+            attributes.add(name);
+        }
+        if (attributes.isEmpty()) {
+            return null;
+        }
+        statement.getAttributes().addAll(attributes);
+        return statement;
+    }
+
+    private Attribute buildAttribute(String formalName, String friendlyName, String value) {
+        if (Strings.isNullOrEmpty(value)) {
+            return null;
+        }
+        return buildAttribute(formalName, friendlyName, List.of(value));
+    }
+
+    private Attribute buildAttribute(String formalName, String friendlyName, Collection<String> values) {
+        if (values.isEmpty() || Strings.isNullOrEmpty(formalName)) {
+            return null;
+        }
+        final Attribute attribute = samlFactory.object(Attribute.class, Attribute.DEFAULT_ELEMENT_NAME);
+        attribute.setName(formalName);
+        attribute.setFriendlyName(friendlyName);
+        attribute.setNameFormat(Attribute.URI_REFERENCE);
+        for (String val : values) {
+            final XSString string = samlFactory.object(XSString.class, AttributeValue.DEFAULT_ELEMENT_NAME, XSString.TYPE_NAME);
+            string.setValue(val);
+            attribute.getAttributeValues().add(string);
+        }
+        return attribute;
+    }
+
+    private Issuer buildIssuer() {
+        final Issuer issuer = samlFactory.object(Issuer.class, Issuer.DEFAULT_ELEMENT_NAME);
+        issuer.setValue(this.idp.getEntityId());
+        return issuer;
+    }
+
+    private Status buildStatus() {
+        final StatusCode code = samlFactory.object(StatusCode.class, StatusCode.DEFAULT_ELEMENT_NAME);
+        code.setValue(StatusCode.SUCCESS);
+
+        final Status status = samlFactory.object(Status.class, Status.DEFAULT_ELEMENT_NAME);
+        status.setStatusCode(code);
+
+        return status;
+    }
+
+    private NameID buildNameId(UserServiceAuthentication user, @Nullable SamlAuthenticationState authnState) {
+        final SamlServiceProvider serviceProvider = user.getServiceProvider();
+        final NameID nameID = samlFactory.object(NameID.class, NameID.DEFAULT_ELEMENT_NAME);
+        final String nameIdFormat;
+        if (authnState != null && authnState.getRequestedNameidFormat() != null) {
+            nameIdFormat = authnState.getRequestedNameidFormat();
+        } else {
+            nameIdFormat = serviceProvider.getAllowedNameIdFormat() != null ? serviceProvider.getAllowedNameIdFormat() :
+                idp.getServiceProviderDefaults().nameIdFormat;
+        }
+        nameID.setFormat(nameIdFormat);
+        nameID.setValue(getNameIdValueForFormat(nameIdFormat, user));
+        return nameID;
+    }
+
+    private String getNameIdValueForFormat(String format, UserServiceAuthentication user) {
+        switch (format) {
+            case TRANSIENT:
+                // See SAML 2.0 Core 8.3.8 & 1.3.4
+                return samlFactory.secureIdentifier();
+            default:
+                throw new IllegalStateException("Unsupported NameID Format: " + format);
+        }
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/authn/UserServiceAuthentication.java

@@ -0,0 +1,85 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.idp.saml.authn;
+
+import org.elasticsearch.xpack.idp.authc.AuthenticationMethod;
+import org.elasticsearch.xpack.idp.authc.NetworkControl;
+import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProvider;
+
+import java.util.Set;
+
+/**
+ * Lightweight representation of a user that has authenticated to the IdP in the context of a specific service provider
+ */
+public class UserServiceAuthentication {
+
+    private final String principal;
+    private final String name;
+    private final String email;
+    private final Set<String> roles;
+
+    private final SamlServiceProvider serviceProvider;
+    private final Set<AuthenticationMethod> authenticationMethods;
+    private final Set<NetworkControl> networkControls;
+
+    public UserServiceAuthentication(String principal, String name, String email, Set<String> roles,
+                                     SamlServiceProvider serviceProvider,
+                                     Set<AuthenticationMethod> authenticationMethods, Set<NetworkControl> networkControls) {
+        this.principal = principal;
+        this.name = name;
+        this.email = email;
+        this.roles = Set.copyOf(roles);
+        this.serviceProvider = serviceProvider;
+        this.authenticationMethods = authenticationMethods;
+        this.networkControls = networkControls;
+    }
+
+    public UserServiceAuthentication(String principal, String name, String email, Set<String> roles, SamlServiceProvider serviceProvider) {
+        this(principal, name, email, roles, serviceProvider, Set.of(AuthenticationMethod.PASSWORD), Set.of(NetworkControl.TLS));
+    }
+
+    public String getPrincipal() {
+        return principal;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public String getEmail() {
+        return email;
+    }
+
+    public Set<String> getRoles() {
+        return roles;
+    }
+
+    public SamlServiceProvider getServiceProvider() {
+        return serviceProvider;
+    }
+
+    public Set<AuthenticationMethod> getAuthenticationMethods() {
+        return authenticationMethods;
+    }
+
+    public Set<NetworkControl> getNetworkControls() {
+        return networkControls;
+    }
+
+    @Override
+    public String toString() {
+        return getClass().getSimpleName() + "{" +
+            "principal='" + principal + '\'' +
+            ", name='" + name + '\'' +
+            ", email='" + email + '\'' +
+            ", roles=" + roles +
+            ", serviceProvider=" + serviceProvider +
+            ", authenticationMethods=" + authenticationMethods +
+            ", networkControls=" + networkControls +
+            '}';
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/idp/SamlIdPMetadataBuilder.java

@@ -0,0 +1,264 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.idp.saml.idp;
+
+import org.elasticsearch.common.Strings;
+import org.opensaml.saml.common.xml.SAMLConstants;
+import org.opensaml.saml.saml2.metadata.ContactPerson;
+import org.opensaml.saml.saml2.metadata.EmailAddress;
+import org.opensaml.saml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml.saml2.metadata.GivenName;
+import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
+import org.opensaml.saml.saml2.metadata.KeyDescriptor;
+import org.opensaml.saml.saml2.metadata.NameIDFormat;
+import org.opensaml.saml.saml2.metadata.Organization;
+import org.opensaml.saml.saml2.metadata.OrganizationDisplayName;
+import org.opensaml.saml.saml2.metadata.OrganizationName;
+import org.opensaml.saml.saml2.metadata.OrganizationURL;
+import org.opensaml.saml.saml2.metadata.SingleLogoutService;
+import org.opensaml.saml.saml2.metadata.SingleSignOnService;
+import org.opensaml.saml.saml2.metadata.SurName;
+import org.opensaml.saml.saml2.metadata.impl.ContactPersonBuilder;
+import org.opensaml.saml.saml2.metadata.impl.EmailAddressBuilder;
+import org.opensaml.saml.saml2.metadata.impl.EntityDescriptorBuilder;
+import org.opensaml.saml.saml2.metadata.impl.GivenNameBuilder;
+import org.opensaml.saml.saml2.metadata.impl.IDPSSODescriptorBuilder;
+import org.opensaml.saml.saml2.metadata.impl.KeyDescriptorBuilder;
+import org.opensaml.saml.saml2.metadata.impl.NameIDFormatBuilder;
+import org.opensaml.saml.saml2.metadata.impl.OrganizationBuilder;
+import org.opensaml.saml.saml2.metadata.impl.OrganizationDisplayNameBuilder;
+import org.opensaml.saml.saml2.metadata.impl.OrganizationNameBuilder;
+import org.opensaml.saml.saml2.metadata.impl.OrganizationURLBuilder;
+import org.opensaml.saml.saml2.metadata.impl.SingleLogoutServiceBuilder;
+import org.opensaml.saml.saml2.metadata.impl.SingleSignOnServiceBuilder;
+import org.opensaml.saml.saml2.metadata.impl.SurNameBuilder;
+import org.opensaml.security.credential.UsageType;
+import org.opensaml.xmlsec.keyinfo.KeyInfoSupport;
+import org.opensaml.xmlsec.signature.KeyInfo;
+import org.opensaml.xmlsec.signature.impl.KeyInfoBuilder;
+
+import java.net.URL;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Set;
+
+public class SamlIdPMetadataBuilder {
+
+    private Locale locale;
+    private final String entityId;
+    private Set<String> nameIdFormats;
+    private boolean wantAuthnRequestsSigned;
+    private Map<String, URL> singleSignOnServiceUrls = new HashMap<>();
+    private Map<String, URL> singleLogoutServiceUrls = new HashMap<>();
+    private List<X509Certificate> signingCertificates;
+    private SamlIdentityProvider.OrganizationInfo organization;
+    private final List<SamlIdentityProvider.ContactInfo> contacts;
+
+
+    public SamlIdPMetadataBuilder(String entityId) {
+        this.entityId = entityId;
+        this.locale = Locale.getDefault();
+        this.contacts = new ArrayList<>();
+        this.nameIdFormats = new HashSet<>();
+        this.signingCertificates = new ArrayList<>();
+        this.wantAuthnRequestsSigned = false;
+    }
+
+    public SamlIdPMetadataBuilder withLocale(Locale locale) {
+        this.locale = locale;
+        return this;
+    }
+
+    public SamlIdPMetadataBuilder withNameIdFormat(String nameIdFormat) {
+        if (Strings.isNullOrEmpty(nameIdFormat) == false) {
+            this.nameIdFormats.add(nameIdFormat);
+        }
+        return this;
+    }
+
+    public SamlIdPMetadataBuilder wantAuthnRequestsSigned(boolean wants) {
+        this.wantAuthnRequestsSigned = wants;
+        return this;
+    }
+
+    public SamlIdPMetadataBuilder withSingleSignOnServiceUrl(String binding, URL url) {
+        if ( null != url) {
+            this.singleSignOnServiceUrls.put(binding, url);
+        }
+        return this;
+    }
+
+    public SamlIdPMetadataBuilder withSingleLogoutServiceUrl(String binding, URL url) {
+        if (null != url) {
+            this.singleLogoutServiceUrls.put(binding, url);
+        }
+        return this;
+    }
+
+    public SamlIdPMetadataBuilder withSigningCertificates(List<X509Certificate> signingCertificates) {
+        if (null != signingCertificates) {
+            this.signingCertificates.addAll(signingCertificates);
+        }
+        return this;
+    }
+
+    public SamlIdPMetadataBuilder withSigningCertificate(X509Certificate signingCertificate) {
+        if ( null != signingCertificate ) {
+            return withSigningCertificates(Collections.singletonList(signingCertificate));
+        }
+        return this;
+    }
+
+    public SamlIdPMetadataBuilder organization(SamlIdentityProvider.OrganizationInfo organization) {
+        if (null != organization) {
+            this.organization = organization;
+        }
+        return this;
+    }
+
+    public SamlIdPMetadataBuilder organization(String orgName, String displayName, String url) {
+        return organization(new SamlIdentityProvider.OrganizationInfo(orgName, displayName, url));
+    }
+
+    public SamlIdPMetadataBuilder withContact(SamlIdentityProvider.ContactInfo contact) {
+        if (null != contact) {
+            this.contacts.add(contact);
+        }
+        return this;
+    }
+
+    public SamlIdPMetadataBuilder withContact(String type, String givenName, String surName, String email) {
+        return withContact(new SamlIdentityProvider.ContactInfo(SamlIdentityProvider.ContactInfo.getType(type), givenName, surName, email));
+    }
+
+    public EntityDescriptor build() throws CertificateEncodingException {
+        final IDPSSODescriptor idpSsoDescriptor = new IDPSSODescriptorBuilder().buildObject();
+        idpSsoDescriptor.removeAllSupportedProtocols();
+        idpSsoDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
+        idpSsoDescriptor.setWantAuthnRequestsSigned(this.wantAuthnRequestsSigned);
+        if (nameIdFormats.isEmpty() == false) {
+            idpSsoDescriptor.getNameIDFormats().addAll(buildNameIDFormats());
+        }
+        if (singleSignOnServiceUrls.isEmpty() == false) {
+            idpSsoDescriptor.getSingleSignOnServices().addAll(buildSingleSignOnServices());
+        }
+        if (singleLogoutServiceUrls.isEmpty() == false) {
+            idpSsoDescriptor.getSingleLogoutServices().addAll(buildSingleLogoutServices());
+        }
+        idpSsoDescriptor.getKeyDescriptors().addAll(buildKeyDescriptors());
+
+        final EntityDescriptor descriptor = new EntityDescriptorBuilder().buildObject();
+        descriptor.setEntityID(this.entityId);
+        descriptor.getRoleDescriptors().add(idpSsoDescriptor);
+        if (organization != null) {
+            descriptor.setOrganization(buildOrganization());
+        }
+        for (SamlIdentityProvider.ContactInfo contact : contacts) {
+            descriptor.getContactPersons().add(buildContact(contact));
+        }
+
+        return descriptor;
+    }
+
+    private List<SingleSignOnService> buildSingleSignOnServices() {
+        List<SingleSignOnService> ssoServices = new ArrayList<>();
+        if (singleSignOnServiceUrls.isEmpty()) {
+            throw new IllegalStateException("At least one SingleSignOnService URL should be specified");
+        }
+        for (Map.Entry<String, URL> entry : singleSignOnServiceUrls.entrySet()) {
+            final SingleSignOnService sso = new SingleSignOnServiceBuilder().buildObject();
+            sso.setBinding(entry.getKey());
+            sso.setLocation(entry.getValue().toString());
+            ssoServices.add(sso);
+        }
+        return ssoServices;
+    }
+
+    private List<SingleLogoutService> buildSingleLogoutServices() {
+        List<SingleLogoutService> sloServices = new ArrayList<>();
+        for (Map.Entry<String, URL> entry : singleLogoutServiceUrls.entrySet()) {
+            final SingleLogoutService slo = new SingleLogoutServiceBuilder().buildObject();
+            slo.setBinding(entry.getKey());
+            slo.setLocation(entry.getValue().toString());
+            sloServices.add(slo);
+        }
+        return sloServices;
+    }
+
+    private List<NameIDFormat> buildNameIDFormats() {
+        List<NameIDFormat> formats = new ArrayList();
+        if (nameIdFormats.isEmpty()) {
+            throw new IllegalStateException("NameID format has not been specified");
+        }
+        for (String nameIdFormat : nameIdFormats) {
+            final NameIDFormat format = new NameIDFormatBuilder().buildObject();
+            format.setFormat(nameIdFormat);
+            formats.add(format);
+
+        }
+        return formats;
+    }
+
+    private List<? extends KeyDescriptor> buildKeyDescriptors() throws CertificateEncodingException {
+        if (signingCertificates.isEmpty()) {
+            return Collections.emptyList();
+        }
+        List<KeyDescriptor> keys = new ArrayList<>();
+        for (X509Certificate signingCertificate : signingCertificates) {
+            if (signingCertificate != null) {
+                final KeyDescriptor descriptor = new KeyDescriptorBuilder().buildObject();
+                descriptor.setUse(UsageType.SIGNING);
+                final KeyInfo keyInfo = new KeyInfoBuilder().buildObject();
+                KeyInfoSupport.addCertificate(keyInfo, signingCertificate);
+                descriptor.setKeyInfo(keyInfo);
+                keys.add(descriptor);
+            }
+        }
+        return keys;
+    }
+
+    private Organization buildOrganization() {
+        final String lang = locale.toLanguageTag();
+        final OrganizationName name = new OrganizationNameBuilder().buildObject();
+        name.setValue(this.organization.organizationName);
+        name.setXMLLang(lang);
+        final OrganizationDisplayName displayName = new OrganizationDisplayNameBuilder().buildObject();
+        displayName.setValue(this.organization.displayName);
+        displayName.setXMLLang(lang);
+        final OrganizationURL url = new OrganizationURLBuilder().buildObject();
+        url.setValue(this.organization.url);
+        url.setXMLLang(lang);
+
+        final Organization org = new OrganizationBuilder().buildObject();
+        org.getOrganizationNames().add(name);
+        org.getDisplayNames().add(displayName);
+        org.getURLs().add(url);
+        return org;
+    }
+
+    private ContactPerson buildContact(SamlIdentityProvider.ContactInfo contact) {
+        final GivenName givenName = new GivenNameBuilder().buildObject();
+        givenName.setName(contact.givenName);
+        final SurName surName = new SurNameBuilder().buildObject();
+        surName.setName(contact.surName);
+        final EmailAddress email = new EmailAddressBuilder().buildObject();
+        email.setAddress(contact.email);
+
+        final ContactPerson person = new ContactPersonBuilder().buildObject();
+        person.setType(contact.type);
+        person.setGivenName(givenName);
+        person.setSurName(surName);
+        person.getEmailAddresses().add(email);
+        return person;
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/idp/SamlIdentityProvider.java

@@ -0,0 +1,208 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.idp.saml.idp;
+
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.collect.MapBuilder;
+import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProvider;
+import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProviderResolver;
+import org.elasticsearch.xpack.idp.saml.sp.ServiceProviderDefaults;
+import org.opensaml.saml.saml2.metadata.ContactPersonTypeEnumeration;
+import org.opensaml.security.x509.X509Credential;
+
+import java.net.URL;
+import java.util.Collections;
+import java.util.LinkedHashMap;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Set;
+
+/**
+ * SAML 2.0 configuration information about this IdP
+ */
+public class SamlIdentityProvider {
+
+    private final Logger logger = LogManager.getLogger();
+
+    private final String entityId;
+    private final Map<String, URL> ssoEndpoints;
+    private final Map<String, URL> sloEndpoints;
+    private final Set<String> allowedNameIdFormats;
+    private final ServiceProviderDefaults serviceProviderDefaults;
+    private final X509Credential signingCredential;
+    private final SamlServiceProviderResolver serviceProviderResolver;
+    private final X509Credential metadataSigningCredential;
+    private ContactInfo technicalContact;
+    private OrganizationInfo organization;
+
+    // Package access - use Builder instead
+    SamlIdentityProvider(String entityId, Map<String, URL> ssoEndpoints, Map<String, URL> sloEndpoints, Set<String> allowedNameIdFormats,
+                         X509Credential signingCredential, X509Credential metadataSigningCredential,
+                         ContactInfo technicalContact, OrganizationInfo organization,
+                         ServiceProviderDefaults serviceProviderDefaults, SamlServiceProviderResolver serviceProviderResolver) {
+        this.entityId = entityId;
+        this.ssoEndpoints = ssoEndpoints;
+        this.sloEndpoints = sloEndpoints;
+        this.allowedNameIdFormats = allowedNameIdFormats;
+        this.signingCredential = signingCredential;
+        this.serviceProviderDefaults = serviceProviderDefaults;
+        this.metadataSigningCredential = metadataSigningCredential;
+        this.technicalContact = technicalContact;
+        this.organization = organization;
+        this.serviceProviderResolver = serviceProviderResolver;
+    }
+
+    public static SamlIdentityProviderBuilder builder(SamlServiceProviderResolver resolver) {
+        return new SamlIdentityProviderBuilder(resolver);
+    }
+
+    public String getEntityId() {
+        return entityId;
+    }
+
+    public URL getSingleSignOnEndpoint(String binding) {
+        return ssoEndpoints.get(binding);
+    }
+
+    public URL getSingleLogoutEndpoint(String binding) {
+        return sloEndpoints.get(binding);
+    }
+
+    public Set<String> getAllowedNameIdFormats() {
+        return allowedNameIdFormats;
+    }
+
+    public X509Credential getSigningCredential() {
+        return signingCredential;
+    }
+
+    public X509Credential getMetadataSigningCredential() {
+        return metadataSigningCredential;
+    }
+
+    public OrganizationInfo getOrganization() {
+        return organization;
+    }
+
+    public ContactInfo getTechnicalContact() {
+        return technicalContact;
+    }
+
+    public ServiceProviderDefaults getServiceProviderDefaults() {
+        return serviceProviderDefaults;
+    }
+
+    /**
+     * Asynchronously lookup the specified {@link SamlServiceProvider} by entity-id.
+     * @param allowDisabled whether to return service providers that are not {@link SamlServiceProvider#isEnabled() enabled}.
+     *                      For security reasons, callers should typically avoid working with disabled service providers.
+     * @param listener Responds with the requested Service Provider object, or {@code null} if no such SP exists.
+     *                 {@link ActionListener#onFailure} is only used for fatal errors (e.g. being unable to access
+     *                 the backing store (elasticsearch index) that hold the SP data).
+     */
+    public void getRegisteredServiceProvider(String spEntityId, boolean allowDisabled, ActionListener<SamlServiceProvider> listener) {
+        serviceProviderResolver.resolve(spEntityId, ActionListener.wrap(
+            sp -> {
+                if (sp == null) {
+                    logger.info("No service provider exists for entityId [{}]", spEntityId);
+                    listener.onResponse(null);
+                } else if (allowDisabled == false && sp.isEnabled() == false) {
+                    logger.info("Service provider [{}][{}] is not enabled", sp.getEntityId(), sp.getName());
+                    listener.onResponse(null);
+                } else {
+                    logger.debug("Service provider for [{}] is [{}]", sp.getEntityId(), sp);
+                    listener.onResponse(sp);
+                }
+            },
+            listener::onFailure
+        ));
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+        final SamlIdentityProvider that = (SamlIdentityProvider) o;
+        return Objects.equals(entityId, that.entityId) &&
+            Objects.equals(ssoEndpoints, that.ssoEndpoints) &&
+            Objects.equals(sloEndpoints, that.sloEndpoints) &&
+            Objects.equals(allowedNameIdFormats, that.allowedNameIdFormats) &&
+            Objects.equals(signingCredential, that.signingCredential) &&
+            Objects.equals(metadataSigningCredential, that.metadataSigningCredential) &&
+            Objects.equals(technicalContact, that.technicalContact) &&
+            Objects.equals(organization, that.organization);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(entityId);
+    }
+
+    public static class ContactInfo {
+        static final Map<String, ContactPersonTypeEnumeration> TYPES = Collections.unmodifiableMap(
+            MapBuilder.newMapBuilder(new LinkedHashMap<String, ContactPersonTypeEnumeration>())
+                .put(ContactPersonTypeEnumeration.ADMINISTRATIVE.toString(), ContactPersonTypeEnumeration.ADMINISTRATIVE)
+                .put(ContactPersonTypeEnumeration.BILLING.toString(), ContactPersonTypeEnumeration.BILLING)
+                .put(ContactPersonTypeEnumeration.SUPPORT.toString(), ContactPersonTypeEnumeration.SUPPORT)
+                .put(ContactPersonTypeEnumeration.TECHNICAL.toString(), ContactPersonTypeEnumeration.TECHNICAL)
+                .put(ContactPersonTypeEnumeration.OTHER.toString(), ContactPersonTypeEnumeration.OTHER)
+                .map());
+
+        public final ContactPersonTypeEnumeration type;
+        public final String givenName;
+        public final String surName;
+        public final String email;
+
+        public ContactInfo(ContactPersonTypeEnumeration type, String givenName, String surName, String email) {
+            this.type = Objects.requireNonNull(type, "Contact Person Type is required");
+            this.givenName = givenName;
+            this.surName = surName;
+            this.email = Objects.requireNonNull(email, "Contact Person email is required");
+        }
+
+        public static ContactPersonTypeEnumeration getType(String name) {
+            final ContactPersonTypeEnumeration type = TYPES.get(name.toLowerCase(Locale.ROOT));
+            if (type == null) {
+                throw new IllegalArgumentException("Invalid contact type " + name + " allowed values are "
+                    + Strings.collectionToCommaDelimitedString(TYPES.keySet()));
+            }
+            return type;
+        }
+    }
+
+    public static class OrganizationInfo {
+        public final String organizationName;
+        public final String displayName;
+        public final String url;
+
+        public OrganizationInfo(String organizationName, String displayName, String url) {
+            this.organizationName = organizationName;
+            this.displayName = displayName;
+            this.url = url;
+        }
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) return true;
+            if (o == null || getClass() != o.getClass()) return false;
+            OrganizationInfo that = (OrganizationInfo) o;
+            return Objects.equals(organizationName, that.organizationName) &&
+                Objects.equals(displayName, that.displayName) &&
+                Objects.equals(url, that.url);
+        }
+
+        @Override
+        public int hashCode() {
+            return Objects.hash(organizationName, displayName, url);
+        }
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/idp/SamlIdentityProviderBuilder.java

@@ -0,0 +1,356 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.idp.saml.idp;
+
+import org.elasticsearch.ElasticsearchSecurityException;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.ValidationException;
+import org.elasticsearch.common.settings.Setting;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.env.Environment;
+import org.elasticsearch.xpack.core.ssl.CertParsingUtils;
+import org.elasticsearch.xpack.core.ssl.X509KeyPairSettings;
+import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProviderResolver;
+import org.elasticsearch.xpack.idp.saml.sp.ServiceProviderDefaults;
+import org.opensaml.saml.saml2.metadata.ContactPersonTypeEnumeration;
+import org.opensaml.security.x509.X509Credential;
+import org.opensaml.security.x509.impl.X509KeyManagerX509CredentialAdapter;
+
+import javax.net.ssl.X509KeyManager;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.security.PrivateKey;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Set;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+import static org.opensaml.saml.common.xml.SAMLConstants.SAML2_POST_BINDING_URI;
+import static org.opensaml.saml.common.xml.SAMLConstants.SAML2_REDIRECT_BINDING_URI;
+import static org.opensaml.saml.saml2.core.NameIDType.TRANSIENT;
+
+/**
+ * Builds a {@link SamlIdentityProvider} instance, from either direct properties, or defined node {@link Settings}.
+ */
+public class SamlIdentityProviderBuilder {
+
+    private static final List<String> ALLOWED_NAMEID_FORMATS = List.of(TRANSIENT);
+    public static final Setting<String> IDP_ENTITY_ID = Setting.simpleString("xpack.idp.entity_id", Setting.Property.NodeScope);
+
+    public static final Setting<URL> IDP_SSO_REDIRECT_ENDPOINT = new Setting<>("xpack.idp.sso_endpoint.redirect", "https:",
+        value -> parseUrl("xpack.idp.sso_endpoint.redirect", value), Setting.Property.NodeScope);
+    public static final Setting<URL> IDP_SSO_POST_ENDPOINT = new Setting<>("xpack.idp.sso_endpoint.post", "https:",
+        value -> parseUrl("xpack.idp.sso_endpoint.post", value), Setting.Property.NodeScope);
+    public static final Setting<URL> IDP_SLO_REDIRECT_ENDPOINT = new Setting<>("xpack.idp.slo_endpoint.redirect", "https:",
+        value -> parseUrl("xpack.idp.slo_endpoint.redirect", value), Setting.Property.NodeScope);
+    public static final Setting<URL> IDP_SLO_POST_ENDPOINT = new Setting<>("xpack.idp.slo_endpoint.post", "https:",
+        value -> parseUrl("xpack.idp.slo_endpoint.post", value), Setting.Property.NodeScope);
+    public static final Setting<List<String>> IDP_ALLOWED_NAMEID_FORMATS = Setting.listSetting("xpack.idp.allowed_nameid_formats",
+        List.of(TRANSIENT), Function.identity(), SamlIdentityProviderBuilder::validateNameIDs, Setting.Property.NodeScope);
+
+    public static final Setting<String> IDP_SIGNING_KEY_ALIAS = Setting.simpleString("xpack.idp.signing.keystore.alias",
+        Setting.Property.NodeScope);
+    public static final Setting<String> IDP_METADATA_SIGNING_KEY_ALIAS = Setting.simpleString("xpack.idp.metadata.signing.keystore.alias",
+        Setting.Property.NodeScope);
+
+    public static final Setting<String> IDP_ORGANIZATION_NAME = Setting.simpleString("xpack.idp.organization.name",
+        Setting.Property.NodeScope);
+    public static final Setting<String> IDP_ORGANIZATION_DISPLAY_NAME = Setting.simpleString("xpack.idp.organization.display_name",
+        IDP_ORGANIZATION_NAME, Setting.Property.NodeScope);
+    public static final Setting<URL> IDP_ORGANIZATION_URL = new Setting<>("xpack.idp.organization.url", "http:",
+        value -> parseUrl("xpack.idp.organization.url", value), Setting.Property.NodeScope);
+
+    public static final Setting<String> IDP_CONTACT_GIVEN_NAME = Setting.simpleString("xpack.idp.contact.given_name",
+        Setting.Property.NodeScope);
+    public static final Setting<String> IDP_CONTACT_SURNAME = Setting.simpleString("xpack.idp.contact.surname",
+        Setting.Property.NodeScope);
+    public static final Setting<String> IDP_CONTACT_EMAIL = Setting.simpleString("xpack.idp.contact.email", Setting.Property.NodeScope);
+
+    private final SamlServiceProviderResolver serviceProviderResolver;
+
+    private String entityId;
+    private Map<String, URL> ssoEndpoints;
+    private Map<String, URL> sloEndpoints;
+    private Set<String> allowedNameIdFormats;
+    private X509Credential signingCredential;
+    private X509Credential metadataSigningCredential;
+    private SamlIdentityProvider.ContactInfo technicalContact;
+    private SamlIdentityProvider.OrganizationInfo organization;
+    private ServiceProviderDefaults serviceProviderDefaults;
+
+    SamlIdentityProviderBuilder(SamlServiceProviderResolver serviceProviderResolver) {
+        this.serviceProviderResolver = serviceProviderResolver;
+        this.ssoEndpoints = new HashMap<>();
+        this.sloEndpoints = new HashMap<>();
+    }
+
+    public SamlIdentityProvider build() throws ValidationException {
+        ValidationException ex = new ValidationException();
+
+        if (Strings.isNullOrEmpty(entityId)) {
+            ex.addValidationError("IDP Entity ID must be set (was [" + entityId + "])");
+        }
+
+        if (ssoEndpoints == null || ssoEndpoints.containsKey(SAML2_REDIRECT_BINDING_URI) == false) {
+            ex.addValidationError("The redirect ([ " + SAML2_REDIRECT_BINDING_URI + "]) SSO binding is required");
+        }
+
+        if (signingCredential == null) {
+            ex.addValidationError("Signing credential must be specified");
+        } else {
+            try {
+                validateSigningKey(signingCredential.getPrivateKey());
+            } catch (ElasticsearchSecurityException e) {
+                ex.addValidationError("Signing credential is invalid - " + e.getMessage());
+            }
+        }
+
+        if (metadataSigningCredential != null) {
+            try {
+                validateSigningKey(metadataSigningCredential.getPrivateKey());
+            } catch (ElasticsearchSecurityException e) {
+                ex.addValidationError("Metadata signing credential is invalid - " + e.getMessage());
+            }
+        }
+
+        if (serviceProviderDefaults == null) {
+            ex.addValidationError("Service provider defaults must be specified");
+        }
+
+        if (ex.validationErrors().isEmpty() == false) {
+            throw ex;
+        }
+
+        return new SamlIdentityProvider(
+            entityId,
+            Map.copyOf(ssoEndpoints),
+            sloEndpoints == null ? Map.of() : Map.copyOf(sloEndpoints),
+            Set.copyOf(allowedNameIdFormats),
+            signingCredential, metadataSigningCredential,
+            technicalContact, organization,
+            serviceProviderDefaults,
+            serviceProviderResolver);
+    }
+
+    public SamlIdentityProviderBuilder fromSettings(Environment env) {
+        final Settings settings = env.settings();
+        this.entityId = require(settings, IDP_ENTITY_ID);
+        this.ssoEndpoints = new HashMap<>();
+        this.sloEndpoints = new HashMap<>();
+        this.ssoEndpoints.put(SAML2_REDIRECT_BINDING_URI, requiredUrl(settings, IDP_SSO_REDIRECT_ENDPOINT));
+        if (IDP_SSO_POST_ENDPOINT.exists(settings)) {
+            this.ssoEndpoints.put(SAML2_POST_BINDING_URI, IDP_SSO_POST_ENDPOINT.get(settings));
+        }
+        if (IDP_SLO_POST_ENDPOINT.exists(settings)) {
+            this.sloEndpoints.put(SAML2_POST_BINDING_URI, IDP_SLO_POST_ENDPOINT.get(settings));
+        }
+        if (IDP_SLO_REDIRECT_ENDPOINT.exists(settings)) {
+            this.sloEndpoints.put(SAML2_REDIRECT_BINDING_URI, IDP_SLO_REDIRECT_ENDPOINT.get(settings));
+        }
+        this.allowedNameIdFormats = new HashSet<>(IDP_ALLOWED_NAMEID_FORMATS.get(settings));
+        this.signingCredential = buildSigningCredential(env, settings, "xpack.idp.signing.");
+        this.metadataSigningCredential = buildSigningCredential(env, settings, "xpack.idp.metadata_signing.");
+        this.technicalContact = buildContactInfo(settings);
+        this.organization = buildOrganization(settings);
+        return this;
+    }
+
+    public static List<? extends Setting<?>> getSettings() {
+        return List.of(
+            IDP_ENTITY_ID,
+            IDP_SLO_REDIRECT_ENDPOINT,
+            IDP_SLO_POST_ENDPOINT,
+            IDP_SSO_REDIRECT_ENDPOINT,
+            IDP_SSO_POST_ENDPOINT,
+            IDP_ALLOWED_NAMEID_FORMATS,
+            IDP_SIGNING_KEY_ALIAS,
+            IDP_METADATA_SIGNING_KEY_ALIAS,
+            IDP_ORGANIZATION_NAME,
+            IDP_ORGANIZATION_DISPLAY_NAME,
+            IDP_ORGANIZATION_URL,
+            IDP_CONTACT_GIVEN_NAME,
+            IDP_CONTACT_SURNAME,
+            IDP_CONTACT_EMAIL);
+    }
+
+    public SamlIdentityProviderBuilder serviceProviderDefaults(ServiceProviderDefaults serviceProviderDefaults) {
+        this.serviceProviderDefaults = serviceProviderDefaults;
+        return this;
+    }
+
+    public SamlIdentityProviderBuilder entityId(String entityId) {
+        this.entityId = entityId;
+        return this;
+    }
+
+    public SamlIdentityProviderBuilder singleSignOnEndpoints(Map<String, URL> ssoEndpoints) {
+        this.ssoEndpoints = ssoEndpoints;
+        return this;
+    }
+
+    public SamlIdentityProviderBuilder singleLogoutEndpoints(Map<String, URL> sloEndpoints) {
+        this.sloEndpoints = sloEndpoints;
+        return this;
+    }
+
+    public SamlIdentityProviderBuilder singleSignOnEndpoint(String binding, URL endpoint) {
+        this.ssoEndpoints.put(binding, endpoint);
+        return this;
+    }
+
+    public SamlIdentityProviderBuilder singleLogoutEndpoint(String binding, URL endpoint) {
+        this.sloEndpoints.put(binding, endpoint);
+        return this;
+    }
+
+    public SamlIdentityProviderBuilder allowedNameIdFormat(String nameIdFormat) {
+        this.allowedNameIdFormats.add(nameIdFormat);
+        return this;
+    }
+
+    public SamlIdentityProviderBuilder signingCredential(X509Credential signingCredential) {
+        this.signingCredential = signingCredential;
+        return this;
+    }
+
+    public SamlIdentityProviderBuilder metadataSigningCredential(X509Credential metadataSigningCredential) {
+        this.metadataSigningCredential = metadataSigningCredential;
+        return this;
+    }
+
+    public SamlIdentityProviderBuilder technicalContact(SamlIdentityProvider.ContactInfo technicalContact) {
+        this.technicalContact = technicalContact;
+        return this;
+    }
+
+    public SamlIdentityProviderBuilder organization(SamlIdentityProvider.OrganizationInfo organization) {
+        this.organization = organization;
+        return this;
+    }
+
+    private static URL parseUrl(String key, String value) {
+        try {
+            return new URL(value);
+        } catch (MalformedURLException e) {
+            throw new IllegalArgumentException("Invalid value [" + value + "] for [" + key + "]. Not a valid URL", e);
+        }
+    }
+
+    private static void validateNameIDs(List<String> values) {
+        final Set<String> invalidFormats =
+            values.stream().distinct().filter(e -> ALLOWED_NAMEID_FORMATS.contains(e) == false).collect(Collectors.toSet());
+        if (invalidFormats.size() > 0) {
+            throw new IllegalArgumentException(
+                invalidFormats + " are not valid NameID formats. Allowed values are " + ALLOWED_NAMEID_FORMATS);
+        }
+    }
+
+    static String require(Settings settings, Setting<String> setting) {
+        if (settings.hasValue(setting.getKey())) {
+            return setting.get(settings);
+        } else {
+            throw new IllegalArgumentException("The configuration setting [" + setting.getKey() + "] is required");
+        }
+    }
+
+    static URL requiredUrl(Settings settings, Setting<URL> setting) {
+        if (settings.hasValue(setting.getKey())) {
+            return setting.get(settings);
+        } else {
+            throw new IllegalArgumentException("The configuration setting [" + setting.getKey() + "] is required");
+        }
+    }
+
+    // Package protected for testing
+    static X509Credential buildSigningCredential(Environment environment, Settings settings, String prefix) {
+        List<X509Credential> credentials = buildCredentials(environment, settings, prefix, false);
+        if (credentials.isEmpty()) {
+            return null;
+        }
+        return credentials.get(0);
+    }
+
+    static List<X509Credential> buildCredentials(Environment env, Settings settings, String prefix, boolean allowMultiple) {
+        final X509KeyPairSettings keyPairSettings = X509KeyPairSettings.withPrefix(prefix, false);
+        final X509KeyManager keyManager = CertParsingUtils.getKeyManager(keyPairSettings, settings, null, env);
+        if (keyManager == null) {
+            return Collections.emptyList();
+        }
+
+        final List<X509Credential> credentials = new ArrayList<>();
+        final Set<String> selectedAliases = new HashSet<>();
+        final String configAlias = settings.get(prefix + "keystore.alias");
+        if (Strings.isNullOrEmpty(configAlias)) {
+            final String[] rsaAliases = keyManager.getServerAliases("RSA", null);
+            if (null != rsaAliases) {
+                selectedAliases.addAll(Arrays.asList(rsaAliases));
+            }
+            final String[] ecAliases = keyManager.getServerAliases("EC", null);
+            if (null != ecAliases) {
+                selectedAliases.addAll(Arrays.asList(ecAliases));
+            }
+            if (selectedAliases.isEmpty()) {
+                throw new IllegalArgumentException(
+                    "The configured keystore for [" + prefix + "keystore] does not contain any RSA or EC key pairs.");
+            }
+            if (selectedAliases.size() > 1 && allowMultiple == false) {
+                throw new IllegalArgumentException(
+                    "The configured keystore for [" + prefix + "keystore] contains multiple private key entries, when one was expected.");
+            }
+        } else {
+            selectedAliases.add(configAlias);
+        }
+        for (String alias : selectedAliases) {
+            try {
+                validateSigningKey(keyManager.getPrivateKey(alias));
+            } catch (ElasticsearchSecurityException e) {
+                throw new IllegalArgumentException("The configured credential [" + prefix + "keystore] with alias [" + alias
+                    + "] is not a valid signing key - " + e.getMessage());
+            }
+            credentials.add(new X509KeyManagerX509CredentialAdapter(keyManager, alias));
+        }
+        return credentials;
+    }
+
+    private static void validateSigningKey(PrivateKey privateKey) {
+        if (privateKey == null) {
+            throw new ElasticsearchSecurityException("There is no private key available for this credential");
+        }
+        final String keyType = privateKey.getAlgorithm();
+        if (keyType.equals("RSA") == false && keyType.equals("EC") == false) {
+            throw new ElasticsearchSecurityException("The private key uses unsupported key algorithm type [" + keyType
+                + "], only RSA and EC are supported");
+        }
+    }
+
+    private static SamlIdentityProvider.OrganizationInfo buildOrganization(Settings settings) {
+        final String name = settings.hasValue(IDP_ORGANIZATION_NAME.getKey()) ? IDP_ORGANIZATION_NAME.get(settings) : null;
+        final String displayName = settings.hasValue(IDP_ORGANIZATION_DISPLAY_NAME.getKey()) ?
+            IDP_ORGANIZATION_DISPLAY_NAME.get(settings) : null;
+        final String url = settings.hasValue(IDP_ORGANIZATION_URL.getKey()) ? IDP_ORGANIZATION_URL.get(settings).toString() : null;
+        if (Stream.of(name, displayName, url).allMatch(Objects::isNull) == false) {
+            return new SamlIdentityProvider.OrganizationInfo(name, displayName, url);
+        }
+        return null;
+    }
+
+    private static SamlIdentityProvider.ContactInfo buildContactInfo(Settings settings) {
+        if (settings.hasValue(IDP_CONTACT_EMAIL.getKey())) {
+            return new SamlIdentityProvider.ContactInfo(ContactPersonTypeEnumeration.TECHNICAL,
+                IDP_CONTACT_GIVEN_NAME.get(settings), IDP_CONTACT_SURNAME.get(settings), IDP_CONTACT_EMAIL.get(settings));
+        }
+        return null;
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/idp/SamlMetadataGenerator.java

@@ -0,0 +1,104 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.idp.saml.idp;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.xpack.idp.action.SamlMetadataResponse;
+import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProvider;
+import org.elasticsearch.xpack.idp.saml.support.SamlFactory;
+import org.elasticsearch.xpack.idp.saml.support.SamlInit;
+import org.opensaml.core.xml.io.MarshallingException;
+import org.opensaml.saml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml.saml2.metadata.impl.EntityDescriptorMarshaller;
+import org.opensaml.security.x509.X509Credential;
+import org.opensaml.xmlsec.signature.Signature;
+import org.opensaml.xmlsec.signature.support.SignatureException;
+import org.opensaml.xmlsec.signature.support.Signer;
+import org.w3c.dom.Element;
+
+import static org.opensaml.saml.common.xml.SAMLConstants.SAML2_POST_BINDING_URI;
+import static org.opensaml.saml.common.xml.SAMLConstants.SAML2_REDIRECT_BINDING_URI;
+import static org.opensaml.saml.saml2.core.NameIDType.PERSISTENT;
+import static org.opensaml.saml.saml2.core.NameIDType.TRANSIENT;
+import static org.opensaml.xmlsec.signature.Signature.DEFAULT_ELEMENT_NAME;
+import static org.opensaml.xmlsec.signature.support.SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS;
+import static org.opensaml.xmlsec.signature.support.SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256;
+
+public class SamlMetadataGenerator {
+
+    private final SamlFactory samlFactory;
+    private final SamlIdentityProvider idp;
+    private final Logger logger = LogManager.getLogger(SamlMetadataGenerator.class);
+
+    public SamlMetadataGenerator(SamlFactory samlFactory, SamlIdentityProvider idp) {
+        this.samlFactory = samlFactory;
+        this.idp = idp;
+        SamlInit.initialize();
+    }
+
+    public void generateMetadata(String spEntityId, ActionListener<SamlMetadataResponse> listener) {
+        idp.getRegisteredServiceProvider(spEntityId, true, ActionListener.wrap(
+            sp -> {
+                try {
+                    if (null == sp) {
+                        listener.onFailure(new IllegalArgumentException("Service provider with Entity ID [" + spEntityId
+                            + "] is not registered with this Identity Provider"));
+                        return;
+                    }
+                    EntityDescriptor metadata = buildEntityDescriptor(sp);
+                    final X509Credential signingCredential = idp.getMetadataSigningCredential();
+                    Element metadataElement = possiblySignDescriptor(metadata, signingCredential);
+                    listener.onResponse(new SamlMetadataResponse(samlFactory.toString(metadataElement, false)));
+                } catch (Exception e) {
+                    logger.debug("Error generating IDP metadata to share with [" + spEntityId + "]", e);
+                    listener.onFailure(e);
+                }
+            },
+            listener::onFailure
+        ));
+    }
+
+    EntityDescriptor buildEntityDescriptor(SamlServiceProvider sp) throws Exception {
+        final SamlIdPMetadataBuilder builder = new SamlIdPMetadataBuilder(idp.getEntityId())
+            .wantAuthnRequestsSigned(sp.shouldSignAuthnRequests())
+            .withSingleSignOnServiceUrl(SAML2_REDIRECT_BINDING_URI,
+                idp.getSingleSignOnEndpoint(SAML2_REDIRECT_BINDING_URI))
+            .withSingleSignOnServiceUrl(SAML2_POST_BINDING_URI,
+                idp.getSingleSignOnEndpoint(SAML2_POST_BINDING_URI))
+            .withSingleLogoutServiceUrl(SAML2_REDIRECT_BINDING_URI,
+                idp.getSingleLogoutEndpoint(SAML2_REDIRECT_BINDING_URI))
+            .withSingleLogoutServiceUrl(SAML2_POST_BINDING_URI,
+                idp.getSingleLogoutEndpoint(SAML2_POST_BINDING_URI))
+            .withNameIdFormat(PERSISTENT)
+            .withNameIdFormat(TRANSIENT)
+            .organization(idp.getOrganization())
+            .withContact(idp.getTechnicalContact());
+        final X509Credential signingCredential = idp.getSigningCredential();
+        if (null != signingCredential) {
+            builder.withSigningCertificate(signingCredential.getEntityCertificate());
+        }
+        return builder.build();
+    }
+
+    Element possiblySignDescriptor(EntityDescriptor descriptor, X509Credential signingCredential) throws MarshallingException,
+        SignatureException {
+        EntityDescriptorMarshaller marshaller = new EntityDescriptorMarshaller();
+        if (null == signingCredential) {
+            return marshaller.marshall(descriptor);
+        } else {
+            Signature signature = samlFactory.buildObject(Signature.class, DEFAULT_ELEMENT_NAME);
+            signature.setSigningCredential(signingCredential);
+            signature.setSignatureAlgorithm(ALGO_ID_SIGNATURE_RSA_SHA256);
+            signature.setCanonicalizationAlgorithm(ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
+            descriptor.setSignature(signature);
+            Element element = new EntityDescriptorMarshaller().marshall(descriptor);
+            Signer.signObject(signature);
+            return element;
+        }
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/rest/action/IdpBaseRestHandler.java

@@ -0,0 +1,50 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.idp.saml.rest.action;
+
+import org.elasticsearch.client.node.NodeClient;
+import org.elasticsearch.license.License;
+import org.elasticsearch.license.LicenseUtils;
+import org.elasticsearch.license.XPackLicenseState;
+import org.elasticsearch.rest.BaseRestHandler;
+import org.elasticsearch.rest.BytesRestResponse;
+import org.elasticsearch.rest.RestRequest;
+
+import java.io.IOException;
+
+public abstract class IdpBaseRestHandler extends BaseRestHandler {
+
+    private static License.OperationMode MINIMUM_ALLOWED_LICENSE = License.OperationMode.ENTERPRISE;
+
+    protected final XPackLicenseState licenseState;
+
+    protected IdpBaseRestHandler(XPackLicenseState licenseState) {
+        this.licenseState = licenseState;
+    }
+
+    protected final RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) throws IOException {
+        RestChannelConsumer consumer = innerPrepareRequest(request, client);
+        if (isIdpFeatureAllowed()) {
+            return consumer;
+        } else {
+            return channel -> channel.sendResponse(new BytesRestResponse(channel,
+                LicenseUtils.newComplianceException("Identity Provider")));
+        }
+    }
+
+    protected boolean isIdpFeatureAllowed() {
+        return licenseState.isAllowedByLicense(MINIMUM_ALLOWED_LICENSE);
+    }
+
+    /**
+     * Implementers should implement this method as they normally would for
+     * {@link BaseRestHandler#prepareRequest(RestRequest, NodeClient)} and ensure that all request
+     * parameters are consumed prior to returning a value.
+     */
+    protected abstract RestChannelConsumer innerPrepareRequest(RestRequest request, NodeClient client) throws IOException;
+}
+
+

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/rest/action/RestDeleteSamlServiceProviderAction.java

@@ -0,0 +1,60 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.idp.saml.rest.action;
+
+import org.elasticsearch.action.support.WriteRequest;
+import org.elasticsearch.client.node.NodeClient;
+import org.elasticsearch.common.xcontent.XContentBuilder;
+import org.elasticsearch.license.XPackLicenseState;
+import org.elasticsearch.rest.BytesRestResponse;
+import org.elasticsearch.rest.RestRequest;
+import org.elasticsearch.rest.RestRequest.Method;
+import org.elasticsearch.rest.RestResponse;
+import org.elasticsearch.rest.RestStatus;
+import org.elasticsearch.rest.action.RestBuilderListener;
+import org.elasticsearch.xpack.idp.action.DeleteSamlServiceProviderAction;
+import org.elasticsearch.xpack.idp.action.DeleteSamlServiceProviderRequest;
+import org.elasticsearch.xpack.idp.action.DeleteSamlServiceProviderResponse;
+
+import java.io.IOException;
+import java.util.List;
+
+/**
+ * Rest endpoint to remove a service provider (by Entity ID) from the IdP.
+ */
+public class RestDeleteSamlServiceProviderAction extends IdpBaseRestHandler {
+
+    public RestDeleteSamlServiceProviderAction(XPackLicenseState licenseState) {
+        super(licenseState);
+    }
+
+    @Override
+    public String getName() {
+        return "idp_delete_saml_sp_action";
+    }
+
+    @Override
+    public List<Route> routes() {
+        return List.of(new Route(Method.DELETE, "/_idp/saml/sp/{sp_entity_id}"));
+    }
+
+    @Override
+    protected RestChannelConsumer innerPrepareRequest(RestRequest restRequest, NodeClient client) throws IOException {
+        final String entityId = restRequest.param("sp_entity_id");
+        final WriteRequest.RefreshPolicy refresh = restRequest.hasParam("refresh")
+            ? WriteRequest.RefreshPolicy.parse(restRequest.param("refresh")) : WriteRequest.RefreshPolicy.NONE;
+        final DeleteSamlServiceProviderRequest request = new DeleteSamlServiceProviderRequest(entityId, refresh);
+        return channel -> client.execute(DeleteSamlServiceProviderAction.INSTANCE, request,
+            new RestBuilderListener<>(channel) {
+                @Override
+                public RestResponse buildResponse(DeleteSamlServiceProviderResponse response, XContentBuilder builder) throws Exception {
+                    response.toXContent(builder, restRequest);
+                    return new BytesRestResponse(response.found() ? RestStatus.OK : RestStatus.NOT_FOUND, builder);
+                }
+            });
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/rest/action/RestPutSamlServiceProviderAction.java

@@ -0,0 +1,63 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.idp.saml.rest.action;
+
+import org.elasticsearch.action.support.WriteRequest;
+import org.elasticsearch.client.node.NodeClient;
+import org.elasticsearch.common.xcontent.XContentBuilder;
+import org.elasticsearch.common.xcontent.XContentParser;
+import org.elasticsearch.license.XPackLicenseState;
+import org.elasticsearch.rest.BytesRestResponse;
+import org.elasticsearch.rest.RestRequest;
+import org.elasticsearch.rest.RestRequest.Method;
+import org.elasticsearch.rest.RestResponse;
+import org.elasticsearch.rest.RestStatus;
+import org.elasticsearch.rest.action.RestBuilderListener;
+import org.elasticsearch.xpack.idp.action.PutSamlServiceProviderAction;
+import org.elasticsearch.xpack.idp.action.PutSamlServiceProviderRequest;
+import org.elasticsearch.xpack.idp.action.PutSamlServiceProviderResponse;
+
+import java.io.IOException;
+import java.util.List;
+
+public class RestPutSamlServiceProviderAction extends IdpBaseRestHandler {
+
+    public RestPutSamlServiceProviderAction(XPackLicenseState licenseState) {
+        super(licenseState);
+    }
+
+    @Override
+    public String getName() {
+        return "idp_put_saml_sp_action";
+    }
+
+    @Override
+    public List<Route> routes() {
+        return List.of(
+            new Route(Method.PUT, "/_idp/saml/sp/{sp_entity_id}"),
+            new Route(Method.POST, "/_idp/saml/sp/{sp_entity_id}")
+        );
+    }
+
+    @Override
+    protected RestChannelConsumer innerPrepareRequest(RestRequest restRequest, NodeClient client) throws IOException {
+        final String entityId = restRequest.param("sp_entity_id");
+        final WriteRequest.RefreshPolicy refreshPolicy = restRequest.hasParam("refresh")
+            ? WriteRequest.RefreshPolicy.parse(restRequest.param("refresh")) : PutSamlServiceProviderRequest.DEFAULT_REFRESH_POLICY;
+        try (XContentParser parser = restRequest.contentParser()) {
+            final PutSamlServiceProviderRequest request = PutSamlServiceProviderRequest.fromXContent(entityId, refreshPolicy, parser);
+            return channel -> client.execute(PutSamlServiceProviderAction.INSTANCE, request,
+                new RestBuilderListener<>(channel) {
+                    @Override
+                    public RestResponse buildResponse(PutSamlServiceProviderResponse response, XContentBuilder builder) throws Exception {
+                        response.toXContent(builder, restRequest);
+                        return new BytesRestResponse(RestStatus.OK, builder);
+                    }
+                });
+        }
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/rest/action/RestSamlInitiateSingleSignOnAction.java

@@ -0,0 +1,77 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.idp.saml.rest.action;
+
+import org.elasticsearch.client.node.NodeClient;
+import org.elasticsearch.common.ParseField;
+import org.elasticsearch.common.xcontent.ObjectParser;
+import org.elasticsearch.common.xcontent.XContentBuilder;
+import org.elasticsearch.common.xcontent.XContentParser;
+import org.elasticsearch.license.XPackLicenseState;
+import org.elasticsearch.rest.BytesRestResponse;
+import org.elasticsearch.rest.RestRequest;
+
+import org.elasticsearch.rest.RestResponse;
+import org.elasticsearch.rest.RestStatus;
+import org.elasticsearch.rest.action.RestBuilderListener;
+import org.elasticsearch.xpack.idp.action.SamlInitiateSingleSignOnAction;
+import org.elasticsearch.xpack.idp.action.SamlInitiateSingleSignOnRequest;
+import org.elasticsearch.xpack.idp.action.SamlInitiateSingleSignOnResponse;
+import org.elasticsearch.xpack.idp.saml.support.SamlAuthenticationState;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.List;
+
+import static org.elasticsearch.rest.RestRequest.Method.POST;
+
+public class RestSamlInitiateSingleSignOnAction extends IdpBaseRestHandler {
+    static final ObjectParser<SamlInitiateSingleSignOnRequest, Void> PARSER = new ObjectParser<>("idp_init_sso",
+        SamlInitiateSingleSignOnRequest::new);
+
+    static {
+        PARSER.declareString(SamlInitiateSingleSignOnRequest::setSpEntityId, new ParseField("entity_id"));
+        PARSER.declareObject(SamlInitiateSingleSignOnRequest::setSamlAuthenticationState, (p, c) -> SamlAuthenticationState.fromXContent(p),
+            new ParseField("authn_state"));
+    }
+
+    public RestSamlInitiateSingleSignOnAction(XPackLicenseState licenseState) {
+        super(licenseState);
+    }
+
+    @Override
+    public List<Route> routes() {
+        return Collections.singletonList(
+            new Route(POST, "/_idp/saml/init")
+        );
+    }
+
+    @Override
+    public String getName() {
+        return "saml_idp_init_sso_action";
+    }
+
+    @Override
+    protected RestChannelConsumer innerPrepareRequest(RestRequest request, NodeClient client) throws IOException {
+        try (XContentParser parser = request.contentParser()) {
+            final SamlInitiateSingleSignOnRequest initRequest = PARSER.parse(parser, null);
+            return channel -> client.execute(SamlInitiateSingleSignOnAction.INSTANCE, initRequest,
+                new RestBuilderListener<SamlInitiateSingleSignOnResponse>(channel) {
+                    @Override
+                    public RestResponse buildResponse(SamlInitiateSingleSignOnResponse response, XContentBuilder builder) throws Exception {
+                        builder.startObject();
+                        builder.field("post_url", response.getPostUrl());
+                        builder.field("saml_response", response.getSamlResponse());
+                        builder.startObject("service_provider");
+                        builder.field("entity_id", response.getEntityId());
+                        builder.endObject();
+                        builder.endObject();
+                        return new BytesRestResponse(RestStatus.OK, builder);
+                    }
+                });
+        }
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/rest/action/RestSamlMetadataAction.java

@@ -0,0 +1,58 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.idp.saml.rest.action;
+
+import org.elasticsearch.client.node.NodeClient;
+import org.elasticsearch.common.xcontent.XContentBuilder;
+import org.elasticsearch.license.XPackLicenseState;
+import org.elasticsearch.rest.BytesRestResponse;
+import org.elasticsearch.rest.RestRequest;
+import org.elasticsearch.rest.RestResponse;
+import org.elasticsearch.rest.RestStatus;
+import org.elasticsearch.rest.action.RestBuilderListener;
+import org.elasticsearch.xpack.idp.action.SamlMetadataAction;
+import org.elasticsearch.xpack.idp.action.SamlMetadataRequest;
+import org.elasticsearch.xpack.idp.action.SamlMetadataResponse;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.List;
+
+import static org.elasticsearch.rest.RestRequest.Method.GET;
+
+public class RestSamlMetadataAction extends IdpBaseRestHandler {
+
+    public RestSamlMetadataAction(XPackLicenseState licenseState) {
+        super(licenseState);
+    }
+
+    @Override
+    public String getName() {
+        return "saml_metadata_action";
+    }
+
+    @Override
+    public List<Route> routes() {
+        return Collections.singletonList(new Route(GET, "/_idp/saml/metadata/{sp_entity_id}"));
+    }
+
+    @Override
+    protected RestChannelConsumer innerPrepareRequest(RestRequest request, NodeClient client) throws IOException {
+        final String spEntityId = request.param("sp_entity_id");
+        final SamlMetadataRequest metadataRequest = new SamlMetadataRequest(spEntityId);
+        return channel -> client.execute(SamlMetadataAction.INSTANCE, metadataRequest,
+            new RestBuilderListener<SamlMetadataResponse>(channel) {
+                @Override
+                public RestResponse buildResponse(SamlMetadataResponse response, XContentBuilder builder) throws Exception {
+                    builder.startObject();
+                    builder.field("metadata", response.getXmlString());
+                    builder.endObject();
+                    return new BytesRestResponse(RestStatus.OK, builder);
+                }
+            });
+
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/rest/action/RestSamlValidateAuthenticationRequestAction.java

@@ -0,0 +1,72 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.idp.saml.rest.action;
+
+import org.elasticsearch.client.node.NodeClient;
+import org.elasticsearch.common.ParseField;
+import org.elasticsearch.common.xcontent.ObjectParser;
+import org.elasticsearch.common.xcontent.XContentBuilder;
+import org.elasticsearch.common.xcontent.XContentParser;
+import org.elasticsearch.license.XPackLicenseState;
+import org.elasticsearch.rest.BytesRestResponse;
+import org.elasticsearch.rest.RestRequest;
+import org.elasticsearch.rest.RestResponse;
+import org.elasticsearch.rest.RestStatus;
+import org.elasticsearch.rest.action.RestBuilderListener;
+import org.elasticsearch.xpack.idp.action.SamlValidateAuthnRequestAction;
+import org.elasticsearch.xpack.idp.action.SamlValidateAuthnRequestRequest;
+import org.elasticsearch.xpack.idp.action.SamlValidateAuthnRequestResponse;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.List;
+
+import static org.elasticsearch.rest.RestRequest.Method.POST;
+
+public class RestSamlValidateAuthenticationRequestAction extends IdpBaseRestHandler {
+
+    static final ObjectParser<SamlValidateAuthnRequestRequest, Void> PARSER =
+        new ObjectParser<>("idp_validate_authn_request", SamlValidateAuthnRequestRequest::new);
+
+    static {
+        PARSER.declareString(SamlValidateAuthnRequestRequest::setQueryString, new ParseField("authn_request_query"));
+    }
+
+    public RestSamlValidateAuthenticationRequestAction(XPackLicenseState licenseState) {
+        super(licenseState);
+    }
+
+    @Override
+    public String getName() {
+        return "saml_idp_validate_authn_request_action";
+    }
+
+    @Override
+    public List<Route> routes() {
+        return Collections.singletonList(new Route(POST, "/_idp/saml/validate"));
+    }
+
+    @Override
+    protected RestChannelConsumer innerPrepareRequest(RestRequest request, NodeClient client) throws IOException {
+        try (XContentParser parser = request.contentParser()) {
+            final SamlValidateAuthnRequestRequest validateRequest = PARSER.parse(parser, null);
+            return channel -> client.execute(SamlValidateAuthnRequestAction.INSTANCE, validateRequest,
+                new RestBuilderListener<SamlValidateAuthnRequestResponse>(channel) {
+                    @Override
+                    public RestResponse buildResponse(SamlValidateAuthnRequestResponse response, XContentBuilder builder) throws Exception {
+                        builder.startObject();
+                        builder.startObject("service_provider");
+                        builder.field("entity_id", response.getSpEntityId());
+                        builder.endObject();
+                        builder.field("force_authn", response.isForceAuthn());
+                        builder.field("authn_state", response.getAuthnState());
+                        builder.endObject();
+                        return new BytesRestResponse(RestStatus.OK, builder);
+                    }
+                });
+        }
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/sp/CloudServiceProvider.java

@@ -0,0 +1,116 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.idp.saml.sp;
+
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.xpack.idp.privileges.ServiceProviderPrivileges;
+import org.joda.time.ReadableDuration;
+import org.opensaml.security.x509.X509Credential;
+
+import java.net.URL;
+import java.util.Set;
+
+
+public class CloudServiceProvider implements SamlServiceProvider {
+
+    private final String entityId;
+    private final String name;
+    private final boolean enabled;
+    private final URL assertionConsumerService;
+    private final String allowedNameIdFormat;
+    private final ReadableDuration authnExpiry;
+    private final ServiceProviderPrivileges privileges;
+    private final AttributeNames attributeNames;
+    private final Set<X509Credential> spSigningCredentials;
+    private final boolean signAuthnRequests;
+    private final boolean signLogoutRequests;
+
+    public CloudServiceProvider(String entityId, String name, boolean enabled, URL assertionConsumerService, String allowedNameIdFormat,
+                                ReadableDuration authnExpiry, ServiceProviderPrivileges privileges, AttributeNames attributeNames,
+                                Set<X509Credential> spSigningCredentials, boolean signAuthnRequests, boolean signLogoutRequests) {
+        if (Strings.isNullOrEmpty(entityId)) {
+            throw new IllegalArgumentException("Service Provider Entity ID cannot be null or empty");
+        }
+        this.entityId = entityId;
+        this.name = name;
+        this.enabled = enabled;
+        this.assertionConsumerService = assertionConsumerService;
+        this.allowedNameIdFormat = allowedNameIdFormat;
+        this.authnExpiry = authnExpiry;
+        this.privileges = privileges;
+        this.attributeNames = attributeNames;
+        this.spSigningCredentials = spSigningCredentials == null ? Set.of() : Set.copyOf(spSigningCredentials);
+        this.signLogoutRequests = signLogoutRequests;
+        this.signAuthnRequests = signAuthnRequests;
+    }
+
+    @Override
+    public String getEntityId() {
+        return entityId;
+    }
+
+    @Override
+    public String getName() {
+        return name;
+    }
+
+    @Override
+    public boolean isEnabled() {
+        return enabled;
+    }
+
+    @Override
+    public String getAllowedNameIdFormat() {
+        return allowedNameIdFormat;
+    }
+
+    @Override
+    public URL getAssertionConsumerService() {
+        return assertionConsumerService;
+    }
+
+    @Override
+    public ReadableDuration getAuthnExpiry() {
+        return authnExpiry;
+    }
+
+    @Override
+    public AttributeNames getAttributeNames() {
+        return attributeNames;
+    }
+
+    @Override
+    public Set<X509Credential> getSpSigningCredentials() {
+        return spSigningCredentials;
+    }
+
+    @Override
+    public boolean shouldSignAuthnRequests() {
+        return signAuthnRequests;
+    }
+
+    @Override
+    public boolean shouldSignLogoutRequests() {
+        return signLogoutRequests;
+    }
+
+    @Override
+    public ServiceProviderPrivileges getPrivileges() {
+        return privileges;
+    }
+
+    @Override
+    public String toString() {
+        return getClass().getSimpleName()
+            + "{"
+            + "entityId=[" + entityId + ']'
+            + " name=[" + name + ']'
+            + " enabled=" + enabled
+            + " acs=[" + assertionConsumerService + "]"
+            + "}";
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/sp/SamlServiceProvider.java

@@ -0,0 +1,56 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.idp.saml.sp;
+
+import org.elasticsearch.xpack.idp.privileges.ServiceProviderPrivileges;
+import org.joda.time.ReadableDuration;
+import org.opensaml.security.x509.X509Credential;
+
+import java.net.URL;
+import java.util.Set;
+
+/**
+ * SAML 2.0 configuration information about a specific service provider
+ */
+public interface SamlServiceProvider {
+
+    String getName();
+
+    boolean isEnabled();
+
+    String getEntityId();
+
+    String getAllowedNameIdFormat();
+
+    URL getAssertionConsumerService();
+
+    ReadableDuration getAuthnExpiry();
+
+    class AttributeNames {
+        public final String principal;
+        public final String name;
+        public final String email;
+        public final String roles;
+
+        public AttributeNames(String principal, String name, String email, String roles) {
+            this.principal = principal;
+            this.name = name;
+            this.email = email;
+            this.roles = roles;
+        }
+    }
+
+    AttributeNames getAttributeNames();
+
+    ServiceProviderPrivileges getPrivileges();
+
+    Set<X509Credential> getSpSigningCredentials();
+
+    boolean shouldSignAuthnRequests();
+
+    boolean shouldSignLogoutRequests();
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/sp/SamlServiceProviderDocument.java

@@ -0,0 +1,539 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.idp.saml.sp;
+
+import org.elasticsearch.ElasticsearchException;
+import org.elasticsearch.common.Nullable;
+import org.elasticsearch.common.ParseField;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.ValidationException;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+import org.elasticsearch.common.io.stream.Writeable;
+import org.elasticsearch.common.util.set.Sets;
+import org.elasticsearch.common.xcontent.ObjectParser;
+import org.elasticsearch.common.xcontent.ToXContentObject;
+import org.elasticsearch.common.xcontent.XContentBuilder;
+import org.elasticsearch.common.xcontent.XContentParser;
+import org.elasticsearch.xpack.core.ssl.CertParsingUtils;
+import org.joda.time.Duration;
+import org.joda.time.ReadableDuration;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.UncheckedIOException;
+import java.nio.charset.StandardCharsets;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.time.Instant;
+import java.util.Base64;
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Set;
+import java.util.function.BiConsumer;
+import java.util.stream.Collectors;
+
+/**
+ * This class models the storage of a {@link SamlServiceProvider} as an Elasticsearch document.
+ */
+public class SamlServiceProviderDocument implements ToXContentObject, Writeable {
+
+    public static final String SIGN_AUTHN = "authn";
+    public static final String SIGN_LOGOUT = "logout";
+    private static final Set<String> ALLOWED_SIGN_MESSAGES = Set.of(SIGN_AUTHN, SIGN_LOGOUT);
+
+    public static class Privileges {
+        public String resource;
+        public Map<String, String> roleActions = Map.of();
+
+        public void setResource(String resource) {
+            this.resource = resource;
+        }
+
+        public void setRoleActions(Map<String, String> roleActions) {
+            this.roleActions = roleActions;
+        }
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) return true;
+            if (o == null || getClass() != o.getClass()) return false;
+            final Privileges that = (Privileges) o;
+            return Objects.equals(resource, that.resource) &&
+                Objects.equals(roleActions, that.roleActions);
+        }
+
+        @Override
+        public int hashCode() {
+            return Objects.hash(resource, roleActions);
+        }
+    }
+
+    public static class AttributeNames {
+        public String principal;
+        @Nullable
+        public String email;
+        @Nullable
+        public String name;
+        @Nullable
+        public String roles;
+
+        public void setPrincipal(String principal) {
+            this.principal = principal;
+        }
+
+        public void setEmail(String email) {
+            this.email = email;
+        }
+
+        public void setName(String name) {
+            this.name = name;
+        }
+
+        public void setRoles(String roles) {
+            this.roles = roles;
+        }
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) return true;
+            if (o == null || getClass() != o.getClass()) return false;
+            final AttributeNames that = (AttributeNames) o;
+            return Objects.equals(principal, that.principal) &&
+                Objects.equals(email, that.email) &&
+                Objects.equals(name, that.name) &&
+                Objects.equals(roles, that.roles);
+        }
+
+        @Override
+        public int hashCode() {
+            return Objects.hash(principal, email, name, roles);
+        }
+    }
+
+    public static class Certificates {
+        public List<String> serviceProviderSigning = List.of();
+        public List<String> identityProviderSigning = List.of();
+        public List<String> identityProviderMetadataSigning = List.of();
+
+        public void setServiceProviderSigning(Collection<String> serviceProviderSigning) {
+            this.serviceProviderSigning = serviceProviderSigning == null ? List.of() : List.copyOf(serviceProviderSigning);
+        }
+
+        public void setIdentityProviderSigning(Collection<String> identityProviderSigning) {
+            this.identityProviderSigning = identityProviderSigning == null ? List.of() : List.copyOf(identityProviderSigning);
+        }
+
+        public void setIdentityProviderMetadataSigning(Collection<String> identityProviderMetadataSigning) {
+            this.identityProviderMetadataSigning
+                = identityProviderMetadataSigning == null ? List.of() : List.copyOf(identityProviderMetadataSigning);
+        }
+
+        public void setServiceProviderX509SigningCertificates(Collection<X509Certificate> certificates) {
+            this.serviceProviderSigning = encodeCertificates(certificates);
+        }
+
+        public List<X509Certificate> getServiceProviderX509SigningCertificates() {
+            return decodeCertificates(this.serviceProviderSigning);
+        }
+
+        public void setIdentityProviderX509SigningCertificates(Collection<X509Certificate> certificates) {
+            this.identityProviderSigning = encodeCertificates(certificates);
+        }
+
+        public List<X509Certificate> getIdentityProviderX509SigningCertificates() {
+            return decodeCertificates(this.identityProviderSigning);
+        }
+
+        public void setIdentityProviderX509MetadataSigningCertificates(Collection<X509Certificate> certificates) {
+            this.identityProviderMetadataSigning = encodeCertificates(certificates);
+        }
+
+        public List<X509Certificate> getIdentityProviderX509MetadataSigningCertificates() {
+            return decodeCertificates(this.identityProviderMetadataSigning);
+        }
+
+        private List<String> encodeCertificates(Collection<X509Certificate> certificates) {
+            return certificates == null ? List.of() : certificates.stream()
+                .map(cert -> {
+                    try {
+                        return cert.getEncoded();
+                    } catch (CertificateEncodingException e) {
+                        throw new ElasticsearchException("Cannot read certificate", e);
+                    }
+                })
+                .map(Base64.getEncoder()::encodeToString)
+                .collect(Collectors.toUnmodifiableList());
+        }
+
+        private List<X509Certificate> decodeCertificates(List<String> encodedCertificates) {
+            if (encodedCertificates == null || encodedCertificates.isEmpty()) {
+                return List.of();
+            }
+            return encodedCertificates.stream().map(this::decodeCertificate).collect(Collectors.toUnmodifiableList());
+        }
+
+        private X509Certificate decodeCertificate(String base64Cert) {
+            final byte[] bytes = base64Cert.getBytes(StandardCharsets.UTF_8);
+            try (InputStream stream = new ByteArrayInputStream(bytes)) {
+                final List<Certificate> certificates = CertParsingUtils.readCertificates(Base64.getDecoder().wrap(stream));
+                if (certificates.size() == 1) {
+                    final Certificate certificate = certificates.get(0);
+                    if (certificate instanceof X509Certificate) {
+                        return (X509Certificate) certificate;
+                    } else {
+                        throw new ElasticsearchException("Certificate ({}) is not a X.509 certificate", certificate.getClass());
+                    }
+                } else {
+                    throw new ElasticsearchException("Expected a single certificate, but found {}", certificates.size());
+                }
+            } catch (IOException e) {
+                throw new UncheckedIOException(e);
+            } catch (CertificateException e) {
+                throw new ElasticsearchException("Cannot parse certificate(s)", e);
+            }
+        }
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) return true;
+            if (o == null || getClass() != o.getClass()) return false;
+            final Certificates that = (Certificates) o;
+            return Objects.equals(serviceProviderSigning, that.serviceProviderSigning) &&
+                Objects.equals(identityProviderSigning, that.identityProviderSigning) &&
+                Objects.equals(identityProviderMetadataSigning, that.identityProviderMetadataSigning);
+        }
+
+        @Override
+        public int hashCode() {
+            return Objects.hash(serviceProviderSigning, identityProviderSigning, identityProviderMetadataSigning);
+        }
+    }
+
+    @Nullable
+    public String docId;
+
+    public String name;
+
+    public String entityId;
+
+    public String acs;
+    
+    @Nullable
+    public String nameIdFormat;
+
+    public boolean enabled = true;
+    public Instant created;
+    public Instant lastModified;
+
+    public Set<String> signMessages = Set.of();
+
+    @Nullable
+    public Long authenticationExpiryMillis;
+
+    public final Privileges privileges = new Privileges();
+    public final AttributeNames attributeNames = new AttributeNames();
+    public final Certificates certificates = new Certificates();
+
+    public SamlServiceProviderDocument() {
+    }
+
+    public SamlServiceProviderDocument(StreamInput in) throws IOException {
+        docId = in.readOptionalString();
+        name = in.readString();
+        entityId = in.readString();
+        acs = in.readString();
+        enabled = in.readBoolean();
+        created = in.readInstant();
+        lastModified = in.readInstant();
+        nameIdFormat = in.readOptionalString();
+        authenticationExpiryMillis = in.readOptionalVLong();
+
+        privileges.resource = in.readString();
+        privileges.roleActions = in.readMap(StreamInput::readString, StreamInput::readString);
+
+        attributeNames.principal = in.readString();
+        attributeNames.email = in.readOptionalString();
+        attributeNames.name = in.readOptionalString();
+        attributeNames.roles = in.readOptionalString();
+
+        certificates.serviceProviderSigning = in.readStringList();
+        certificates.identityProviderSigning = in.readStringList();
+        certificates.identityProviderMetadataSigning = in.readStringList();
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        out.writeOptionalString(docId);
+        out.writeString(name);
+        out.writeString(entityId);
+        out.writeString(acs);
+        out.writeBoolean(enabled);
+        out.writeInstant(created);
+        out.writeInstant(lastModified);
+        out.writeOptionalString(nameIdFormat);
+        out.writeOptionalVLong(authenticationExpiryMillis);
+
+        out.writeString(privileges.resource);
+        out.writeMap(privileges.roleActions == null ? Map.of() : privileges.roleActions,
+            StreamOutput::writeString, StreamOutput::writeString);
+
+        out.writeString(attributeNames.principal);
+        out.writeOptionalString(attributeNames.email);
+        out.writeOptionalString(attributeNames.name);
+        out.writeOptionalString(attributeNames.roles);
+
+        out.writeStringCollection(certificates.serviceProviderSigning);
+        out.writeStringCollection(certificates.identityProviderSigning);
+        out.writeStringCollection(certificates.identityProviderMetadataSigning);
+    }
+
+    public String getDocId() {
+        return docId;
+    }
+
+    public void setDocId(String docId) {
+        this.docId = docId;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public void setEntityId(String entityId) {
+        this.entityId = entityId;
+    }
+
+    public void setAcs(String acs) {
+        this.acs = acs;
+    }
+
+    public void setEnabled(boolean enabled) {
+        this.enabled = enabled;
+    }
+
+    public void setCreated(Instant created) {
+        this.created = created;
+    }
+
+    public void setCreatedMillis(Long millis) {
+        this.created = Instant.ofEpochMilli(millis);
+    }
+
+    public void setLastModifiedMillis(Long millis) {
+        this.lastModified = Instant.ofEpochMilli(millis);
+    }
+
+    public void setNameIdFormat(String nameIdFormat) {
+        this.nameIdFormat = nameIdFormat;
+    }
+
+    public void setSignMessages(Collection<String> signMessages) {
+        this.signMessages = signMessages == null ? Set.of() : Set.copyOf(signMessages);
+    }
+
+    public void setAuthenticationExpiryMillis(Long authenticationExpiryMillis) {
+        this.authenticationExpiryMillis = authenticationExpiryMillis;
+    }
+
+    public void setAuthenticationExpiry(ReadableDuration authnExpiry) {
+        this.authenticationExpiryMillis = authnExpiry == null ? null : authnExpiry.getMillis();
+    }
+
+    public ReadableDuration getAuthenticationExpiry() {
+        return authenticationExpiryMillis == null ? null : Duration.millis(this.authenticationExpiryMillis);
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+        final SamlServiceProviderDocument that = (SamlServiceProviderDocument) o;
+        return Objects.equals(docId, that.docId) &&
+            Objects.equals(name, that.name) &&
+            Objects.equals(entityId, that.entityId) &&
+            Objects.equals(acs, that.acs) &&
+            Objects.equals(enabled, that.enabled) &&
+            Objects.equals(created, that.created) &&
+            Objects.equals(lastModified, that.lastModified) &&
+            Objects.equals(nameIdFormat, that.nameIdFormat) &&
+            Objects.equals(authenticationExpiryMillis, that.authenticationExpiryMillis) &&
+            Objects.equals(certificates, that.certificates) &&
+            Objects.equals(privileges, that.privileges) &&
+            Objects.equals(attributeNames, that.attributeNames);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(docId, name, entityId, acs, enabled, created, lastModified, nameIdFormat, authenticationExpiryMillis,
+            certificates, privileges, attributeNames);
+    }
+
+    private static final ObjectParser<SamlServiceProviderDocument, SamlServiceProviderDocument> DOC_PARSER
+        = new ObjectParser<>("service_provider_doc", true, SamlServiceProviderDocument::new);
+    private static final ObjectParser<Privileges, Void> PRIVILEGES_PARSER = new ObjectParser<>("service_provider_priv", true, null);
+    private static final ObjectParser<AttributeNames, Void> ATTRIBUTES_PARSER = new ObjectParser<>("service_provider_attr", true, null);
+    private static final ObjectParser<Certificates, Void> CERTIFICATES_PARSER = new ObjectParser<>("service_provider_cert", true, null);
+
+    private static final BiConsumer<SamlServiceProviderDocument, Object> NULL_CONSUMER = (doc, obj) -> {
+    };
+
+    static {
+        DOC_PARSER.declareString(SamlServiceProviderDocument::setName, Fields.NAME);
+        DOC_PARSER.declareString(SamlServiceProviderDocument::setEntityId, Fields.ENTITY_ID);
+        DOC_PARSER.declareString(SamlServiceProviderDocument::setAcs, Fields.ACS);
+        DOC_PARSER.declareBoolean(SamlServiceProviderDocument::setEnabled, Fields.ENABLED);
+        DOC_PARSER.declareLong(SamlServiceProviderDocument::setCreatedMillis, Fields.CREATED_DATE);
+        DOC_PARSER.declareLong(SamlServiceProviderDocument::setLastModifiedMillis, Fields.LAST_MODIFIED);
+        DOC_PARSER.declareStringOrNull(SamlServiceProviderDocument::setNameIdFormat, Fields.NAME_ID);
+        DOC_PARSER.declareStringArray(SamlServiceProviderDocument::setSignMessages, Fields.SIGN_MSGS);
+        DOC_PARSER.declareField(SamlServiceProviderDocument::setAuthenticationExpiryMillis,
+            parser -> parser.currentToken() == XContentParser.Token.VALUE_NULL ? null : parser.longValue(),
+            Fields.AUTHN_EXPIRY, ObjectParser.ValueType.LONG_OR_NULL);
+
+        DOC_PARSER.declareObject(NULL_CONSUMER, (parser, doc) -> PRIVILEGES_PARSER.parse(parser, doc.privileges, null), Fields.PRIVILEGES);
+        PRIVILEGES_PARSER.declareString(Privileges::setResource, Fields.Privileges.RESOURCE);
+        PRIVILEGES_PARSER.declareField(Privileges::setRoleActions,
+            (parser, ignore) -> parser.currentToken() == XContentParser.Token.VALUE_NULL ? null : parser.mapStrings(),
+            Fields.Privileges.ROLES, ObjectParser.ValueType.OBJECT_OR_NULL);
+
+        DOC_PARSER.declareObject(NULL_CONSUMER, (p, doc) -> ATTRIBUTES_PARSER.parse(p, doc.attributeNames, null), Fields.ATTRIBUTES);
+        ATTRIBUTES_PARSER.declareString(AttributeNames::setPrincipal, Fields.Attributes.PRINCIPAL);
+        ATTRIBUTES_PARSER.declareStringOrNull(AttributeNames::setEmail, Fields.Attributes.EMAIL);
+        ATTRIBUTES_PARSER.declareStringOrNull(AttributeNames::setName, Fields.Attributes.NAME);
+        ATTRIBUTES_PARSER.declareStringOrNull(AttributeNames::setRoles, Fields.Attributes.ROLES);
+
+        DOC_PARSER.declareObject(NULL_CONSUMER, (p, doc) -> CERTIFICATES_PARSER.parse(p, doc.certificates, null), Fields.CERTIFICATES);
+        CERTIFICATES_PARSER.declareStringArray(Certificates::setServiceProviderSigning, Fields.Certificates.SP_SIGNING);
+        CERTIFICATES_PARSER.declareStringArray(Certificates::setIdentityProviderSigning, Fields.Certificates.IDP_SIGNING);
+        CERTIFICATES_PARSER.declareStringArray(Certificates::setIdentityProviderMetadataSigning, Fields.Certificates.IDP_METADATA);
+    }
+
+    public static SamlServiceProviderDocument fromXContent(String docId, XContentParser parser) throws IOException {
+        SamlServiceProviderDocument doc = new SamlServiceProviderDocument();
+        doc.setDocId(docId);
+        return DOC_PARSER.parse(parser, doc, doc);
+    }
+
+    public ValidationException validate() {
+        final ValidationException validation = new ValidationException();
+        if (Strings.isNullOrEmpty(name)) {
+            validation.addValidationError("field [" + Fields.NAME + "] is required, but was [" + name + "]");
+        }
+        if (Strings.isNullOrEmpty(entityId)) {
+            validation.addValidationError("field [" + Fields.ENTITY_ID + "] is required, but was [" + entityId + "]");
+        }
+        if (Strings.isNullOrEmpty(acs)) {
+            validation.addValidationError("field [" + Fields.ACS + "] is required, but was [" + acs + "]");
+        }
+        if (created == null) {
+            validation.addValidationError("field [" + Fields.CREATED_DATE + "] is required, but was [" + created + "]");
+        }
+        if (lastModified == null) {
+            validation.addValidationError("field [" + Fields.LAST_MODIFIED + "] is required, but was [" + lastModified + "]");
+        }
+
+        final Set<String> invalidSignOptions = Sets.difference(signMessages, ALLOWED_SIGN_MESSAGES);
+        if (invalidSignOptions.isEmpty() == false) {
+            validation.addValidationError("the values [" + invalidSignOptions + "] are not permitted for [" + Fields.SIGN_MSGS
+                + "] - permitted values are [" + ALLOWED_SIGN_MESSAGES + "]");
+        }
+
+        if (Strings.isNullOrEmpty(privileges.resource)) {
+            validation.addValidationError("field [" + Fields.PRIVILEGES + "." + Fields.Privileges.RESOURCE
+                + "] is required, but was [" + privileges.resource + "]");
+        }
+        if (Strings.isNullOrEmpty(attributeNames.principal)) {
+            validation.addValidationError("field [" + Fields.ATTRIBUTES + "." + Fields.Attributes.PRINCIPAL
+                + "] is required, but was [" + attributeNames.principal + "]");
+        }
+        if (validation.validationErrors().isEmpty()) {
+            return null;
+        } else {
+            return validation;
+        }
+    }
+
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+        builder.startObject();
+        builder.field(Fields.NAME.getPreferredName(), name);
+        builder.field(Fields.ENTITY_ID.getPreferredName(), entityId);
+        builder.field(Fields.ACS.getPreferredName(), acs);
+        builder.field(Fields.ENABLED.getPreferredName(), enabled);
+        builder.field(Fields.CREATED_DATE.getPreferredName(), created == null ? null : created.toEpochMilli());
+        builder.field(Fields.LAST_MODIFIED.getPreferredName(), lastModified == null ? null : lastModified.toEpochMilli());
+        builder.field(Fields.NAME_ID.getPreferredName(), nameIdFormat);
+        builder.field(Fields.SIGN_MSGS.getPreferredName(), signMessages == null ? List.of() : signMessages);
+        builder.field(Fields.AUTHN_EXPIRY.getPreferredName(), authenticationExpiryMillis);
+
+        builder.startObject(Fields.PRIVILEGES.getPreferredName());
+        builder.field(Fields.Privileges.RESOURCE.getPreferredName(), privileges.resource);
+        builder.field(Fields.Privileges.ROLES.getPreferredName(), privileges.roleActions);
+        builder.endObject();
+
+        builder.startObject(Fields.ATTRIBUTES.getPreferredName());
+        builder.field(Fields.Attributes.PRINCIPAL.getPreferredName(), attributeNames.principal);
+        builder.field(Fields.Attributes.EMAIL.getPreferredName(), attributeNames.email);
+        builder.field(Fields.Attributes.NAME.getPreferredName(), attributeNames.name);
+        builder.field(Fields.Attributes.ROLES.getPreferredName(), attributeNames.roles);
+        builder.endObject();
+
+        builder.startObject(Fields.CERTIFICATES.getPreferredName());
+        builder.field(Fields.Certificates.SP_SIGNING.getPreferredName(), certificates.serviceProviderSigning);
+        builder.field(Fields.Certificates.IDP_SIGNING.getPreferredName(), certificates.identityProviderSigning);
+        builder.field(Fields.Certificates.IDP_METADATA.getPreferredName(), certificates.identityProviderMetadataSigning);
+        builder.endObject();
+
+        return builder.endObject();
+    }
+
+    public interface Fields {
+        ParseField NAME = new ParseField("name");
+        ParseField ENTITY_ID = new ParseField("entity_id");
+        ParseField ACS = new ParseField("acs");
+        ParseField ENABLED = new ParseField("enabled");
+        ParseField NAME_ID = new ParseField("name_id_format");
+        ParseField SIGN_MSGS = new ParseField("sign_messages");
+        ParseField AUTHN_EXPIRY = new ParseField("authn_expiry_ms");
+
+        ParseField CREATED_DATE = new ParseField("created");
+        ParseField LAST_MODIFIED = new ParseField("last_modified");
+
+        ParseField PRIVILEGES = new ParseField("privileges");
+        ParseField ATTRIBUTES = new ParseField("attributes");
+        ParseField CERTIFICATES = new ParseField("certificates");
+
+        interface Privileges {
+            ParseField RESOURCE = new ParseField("resource");
+            ParseField ROLES = new ParseField("roles");
+        }
+
+        interface Attributes {
+            ParseField PRINCIPAL = new ParseField("principal");
+            ParseField EMAIL = new ParseField("email");
+            ParseField NAME = new ParseField("name");
+            ParseField ROLES = new ParseField("roles");
+        }
+
+        interface Certificates {
+            ParseField SP_SIGNING = new ParseField("sp_signing");
+            ParseField IDP_SIGNING = new ParseField("idp_signing");
+            ParseField IDP_METADATA = new ParseField("idp_metadata");
+        }
+    }
+
+    @Override
+    public String toString() {
+        return getClass().getSimpleName() + "{docId=" + docId + ", name=" + name + ", entityId=" + entityId + "}@" + hashCode();
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/sp/SamlServiceProviderIndex.java

@@ -0,0 +1,337 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.idp.saml.sp;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.apache.logging.log4j.message.ParameterizedMessage;
+import org.elasticsearch.Version;
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.action.DocWriteRequest;
+import org.elasticsearch.action.DocWriteResponse;
+import org.elasticsearch.action.admin.indices.refresh.RefreshRequest;
+import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateRequest;
+import org.elasticsearch.action.delete.DeleteRequest;
+import org.elasticsearch.action.delete.DeleteResponse;
+import org.elasticsearch.action.get.GetRequest;
+import org.elasticsearch.action.get.GetResponse;
+import org.elasticsearch.action.index.IndexRequest;
+import org.elasticsearch.action.search.SearchRequest;
+import org.elasticsearch.action.support.WriteRequest;
+import org.elasticsearch.client.Client;
+import org.elasticsearch.client.OriginSettingClient;
+import org.elasticsearch.cluster.ClusterChangedEvent;
+import org.elasticsearch.cluster.ClusterState;
+import org.elasticsearch.cluster.ClusterStateListener;
+import org.elasticsearch.cluster.metadata.AliasOrIndex;
+import org.elasticsearch.cluster.service.ClusterService;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.ValidationException;
+import org.elasticsearch.common.bytes.BytesReference;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.util.CachedSupplier;
+import org.elasticsearch.common.xcontent.LoggingDeprecationHandler;
+import org.elasticsearch.common.xcontent.NamedXContentRegistry;
+import org.elasticsearch.common.xcontent.ToXContent;
+import org.elasticsearch.common.xcontent.XContentBuilder;
+import org.elasticsearch.common.xcontent.XContentParser;
+import org.elasticsearch.common.xcontent.XContentType;
+import org.elasticsearch.gateway.GatewayService;
+import org.elasticsearch.index.IndexNotFoundException;
+import org.elasticsearch.index.get.GetResult;
+import org.elasticsearch.index.query.QueryBuilder;
+import org.elasticsearch.index.query.QueryBuilders;
+import org.elasticsearch.search.SearchHit;
+import org.elasticsearch.xpack.core.ClientHelper;
+import org.elasticsearch.xpack.core.template.TemplateUtils;
+
+import java.io.ByteArrayOutputStream;
+import java.io.Closeable;
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.util.Arrays;
+import java.util.Objects;
+import java.util.Set;
+import java.util.function.Supplier;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+/**
+ * This class provides utility methods to read/write {@link SamlServiceProviderDocument} to an Elasticsearch index.
+ */
+public class SamlServiceProviderIndex implements Closeable {
+
+    private final Logger logger = LogManager.getLogger();
+
+    private final Client client;
+    private final ClusterService clusterService;
+    private final ClusterStateListener clusterStateListener;
+    private volatile boolean aliasExists;
+    private volatile boolean templateInstalled;
+
+    public static final String ALIAS_NAME = "saml-service-provider";
+    public static final String INDEX_NAME = "saml-service-provider-v1";
+    static final String TEMPLATE_NAME = ALIAS_NAME;
+
+    private static final String TEMPLATE_RESOURCE = "/org/elasticsearch/xpack/idp/saml-service-provider-template.json";
+    private static final String TEMPLATE_META_VERSION_KEY = "idp-version";
+    private static final String TEMPLATE_VERSION_SUBSTITUTE = "idp.template.version";
+
+    public static final class DocumentVersion {
+        public final String id;
+        public final long primaryTerm;
+        public final long seqNo;
+
+        public DocumentVersion(String id, long primaryTerm, long seqNo) {
+            this.id = id;
+            this.primaryTerm = primaryTerm;
+            this.seqNo = seqNo;
+        }
+
+        public DocumentVersion(GetResponse get) {
+            this(get.getId(), get.getPrimaryTerm(), get.getSeqNo());
+        }
+
+        public DocumentVersion(GetResult get) {
+            this(get.getId(), get.getPrimaryTerm(), get.getSeqNo());
+        }
+
+        public DocumentVersion(SearchHit hit) {
+            this(hit.getId(), hit.getPrimaryTerm(), hit.getSeqNo());
+        }
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) return true;
+            if (o == null || getClass() != o.getClass()) return false;
+            final DocumentVersion that = (DocumentVersion) o;
+            return Objects.equals(this.id, that.id) && primaryTerm == that.primaryTerm &&
+                seqNo == that.seqNo;
+        }
+
+        @Override
+        public int hashCode() {
+            return Objects.hash(id, primaryTerm, seqNo);
+        }
+    }
+
+    public static final class DocumentSupplier {
+        public final DocumentVersion version;
+        public final Supplier<SamlServiceProviderDocument> document;
+
+        public DocumentSupplier(DocumentVersion version, Supplier<SamlServiceProviderDocument> document) {
+            this.version = version;
+            this.document = new CachedSupplier<>(document);
+        }
+
+        public SamlServiceProviderDocument getDocument() {
+            return document.get();
+        }
+    }
+
+    public SamlServiceProviderIndex(Client client, ClusterService clusterService) {
+        this.client = new OriginSettingClient(client, ClientHelper.IDP_ORIGIN);
+        this.clusterService = clusterService;
+        this.clusterStateListener = this::clusterChanged;
+        clusterService.addListener(clusterStateListener);
+    }
+
+    private void clusterChanged(ClusterChangedEvent clusterChangedEvent) {
+        final ClusterState state = clusterChangedEvent.state();
+        installTemplateIfRequired(state);
+        checkForAliasStateChange(state);
+    }
+
+    private void installTemplateIfRequired(ClusterState state) {
+        if (templateInstalled) {
+            return;
+        }
+        if (state.blocks().hasGlobalBlock(GatewayService.STATE_NOT_RECOVERED_BLOCK)) {
+            return;
+        }
+        if (isTemplateUpToDate(state)) {
+            templateInstalled = true;
+            return;
+        }
+        if (state.nodes().isLocalNodeElectedMaster() == false) {
+            return;
+        }
+        installIndexTemplate(ActionListener.wrap(
+            installed -> {
+                templateInstalled = true;
+                if (installed) {
+                    logger.debug("Template [{}] has been updated", TEMPLATE_NAME);
+                } else {
+                    logger.debug("Template [{}] appears to be up to date", TEMPLATE_NAME);
+                }
+            }, e -> logger.warn(new ParameterizedMessage("Failed to install template [{}]", TEMPLATE_NAME), e)
+        ));
+    }
+
+    private void checkForAliasStateChange(ClusterState state) {
+        final AliasOrIndex aliasInfo = state.getMetaData().getAliasAndIndexLookup().get(ALIAS_NAME);
+        final boolean previousState = aliasExists;
+        this.aliasExists = aliasInfo != null;
+        if (aliasExists != previousState) {
+            logChangedAliasState(aliasInfo);
+        }
+    }
+
+    @Override
+    public void close() {
+        logger.debug("Closing ... removing cluster state listener");
+        clusterService.removeListener(clusterStateListener);
+    }
+
+    private void logChangedAliasState(AliasOrIndex aliasInfo) {
+        if (aliasInfo == null) {
+            logger.warn("service provider index/alias [{}] no longer exists", ALIAS_NAME);
+        } else if (aliasInfo.isAlias() == false) {
+            logger.warn("service provider index [{}] exists as a concrete index, but it should be an alias", ALIAS_NAME);
+        } else if (aliasInfo.getIndices().size() != 1) {
+            logger.warn("service provider alias [{}] refers to multiple indices [{}] - this is unexpected and is likely to cause problems",
+                ALIAS_NAME, Strings.collectionToCommaDelimitedString(aliasInfo.getIndices()));
+        } else {
+            logger.info("service provider alias [{}] refers to [{}]", ALIAS_NAME, aliasInfo.getIndices().get(0).getIndex());
+        }
+    }
+
+    public void installIndexTemplate(ActionListener<Boolean> listener) {
+        final ClusterState state = clusterService.state();
+        if (isTemplateUpToDate(state)) {
+            listener.onResponse(false);
+        }
+        final String template = TemplateUtils.loadTemplate(TEMPLATE_RESOURCE, Version.CURRENT.toString(), TEMPLATE_VERSION_SUBSTITUTE);
+        final PutIndexTemplateRequest request = new PutIndexTemplateRequest(TEMPLATE_NAME).source(template, XContentType.JSON);
+        client.admin().indices().putTemplate(request, ActionListener.wrap(response -> {
+            logger.info("Installed template [{}]", TEMPLATE_NAME);
+            listener.onResponse(true);
+        }, listener::onFailure));
+    }
+
+    private boolean isTemplateUpToDate(ClusterState state) {
+        return TemplateUtils.checkTemplateExistsAndIsUpToDate(TEMPLATE_NAME, TEMPLATE_META_VERSION_KEY, state, logger);
+    }
+
+    public void deleteDocument(DocumentVersion version, WriteRequest.RefreshPolicy refreshPolicy, ActionListener<DeleteResponse> listener) {
+        final DeleteRequest request = new DeleteRequest(aliasExists ? ALIAS_NAME : INDEX_NAME)
+            .id(version.id)
+            .setIfSeqNo(version.seqNo)
+            .setIfPrimaryTerm(version.primaryTerm)
+            .setRefreshPolicy(refreshPolicy);
+        client.delete(request, ActionListener.wrap(response -> {
+            logger.debug("Deleted service provider document [{}] ({})", version.id, response.getResult());
+            listener.onResponse(response);
+        }, listener::onFailure));
+    }
+
+    public void writeDocument(SamlServiceProviderDocument document, DocWriteRequest.OpType opType,
+                              WriteRequest.RefreshPolicy refreshPolicy, ActionListener<DocWriteResponse> listener) {
+        final ValidationException exception = document.validate();
+        if (exception != null) {
+            listener.onFailure(exception);
+            return;
+        }
+
+        if (templateInstalled) {
+            _writeDocument(document, opType, refreshPolicy, listener);
+        } else {
+            installIndexTemplate(ActionListener.wrap(installed ->
+                _writeDocument(document, opType, refreshPolicy, listener), listener::onFailure));
+        }
+    }
+
+    private void _writeDocument(SamlServiceProviderDocument document, DocWriteRequest.OpType opType,
+                                WriteRequest.RefreshPolicy refreshPolicy, ActionListener<DocWriteResponse> listener) {
+        try (ByteArrayOutputStream out = new ByteArrayOutputStream();
+             XContentBuilder xContentBuilder = new XContentBuilder(XContentType.JSON.xContent(), out)) {
+            document.toXContent(xContentBuilder, ToXContent.EMPTY_PARAMS);
+            // Due to the lack of "alias templates" (at the current time), we cannot write to the alias if it doesn't exist yet
+            // - that would cause the alias to be created as a concrete index, which is not what we want.
+            // So, until we know that the alias exists we have to write to the expected index name instead.
+            final IndexRequest request = new IndexRequest(aliasExists ? ALIAS_NAME : INDEX_NAME)
+                .opType(opType)
+                .source(xContentBuilder)
+                .id(document.docId)
+                .setRefreshPolicy(refreshPolicy);
+            client.index(request, ActionListener.wrap(response -> {
+                logger.debug("Wrote service provider [{}][{}] as document [{}] ({})",
+                    document.name, document.entityId, response.getId(), response.getResult());
+                listener.onResponse(response);
+            }, listener::onFailure));
+        } catch (IOException e) {
+            listener.onFailure(e);
+        }
+    }
+
+    public void readDocument(String documentId, ActionListener<DocumentSupplier> listener) {
+        final GetRequest request = new GetRequest(ALIAS_NAME, documentId);
+        client.get(request, ActionListener.wrap(response -> {
+            if (response.isExists()) {
+                listener.onResponse(
+                    new DocumentSupplier(new DocumentVersion(response), () -> toDocument(documentId, response.getSourceAsBytesRef()))
+                );
+            } else {
+                listener.onResponse(null);
+            }
+        }, listener::onFailure));
+    }
+
+    public void findByEntityId(String entityId, ActionListener<Set<DocumentSupplier>> listener) {
+        final QueryBuilder query = QueryBuilders.termQuery(SamlServiceProviderDocument.Fields.ENTITY_ID.getPreferredName(), entityId);
+        findDocuments(query, listener);
+    }
+
+    public void findAll(ActionListener<Set<DocumentSupplier>> listener) {
+        final QueryBuilder query = QueryBuilders.matchAllQuery();
+        findDocuments(query, listener);
+    }
+
+    public void refresh(ActionListener<Void> listener) {
+        client.admin().indices().refresh(new RefreshRequest(ALIAS_NAME), ActionListener.wrap(
+            response -> listener.onResponse(null), listener::onFailure));
+    }
+
+    private void findDocuments(QueryBuilder query, ActionListener<Set<DocumentSupplier>> listener) {
+        logger.trace("Searching [{}] for [{}]", ALIAS_NAME, query);
+        final SearchRequest request = client.prepareSearch(ALIAS_NAME)
+            .setQuery(query)
+            .setSize(1000)
+            .setFetchSource(true)
+            .request();
+        client.search(request, ActionListener.wrap(response -> {
+            if (logger.isTraceEnabled()) {
+                logger.trace("Search hits: [{}] [{}]", response.getHits().getTotalHits(), Arrays.toString(response.getHits().getHits()));
+            }
+            final Set<DocumentSupplier> docs = Stream.of(response.getHits().getHits())
+                .map(hit -> new DocumentSupplier(new DocumentVersion(hit), () -> toDocument(hit.getId(), hit.getSourceRef())))
+                .collect(Collectors.toUnmodifiableSet());
+            listener.onResponse(docs);
+        }, ex -> {
+            if (ex instanceof IndexNotFoundException) {
+                listener.onResponse(Set.of());
+            } else {
+                listener.onFailure(ex);
+            }
+        }));
+    }
+
+    private SamlServiceProviderDocument toDocument(String documentId, BytesReference source) {
+        try (StreamInput in = source.streamInput();
+             XContentParser parser = XContentType.JSON.xContent().createParser(
+                 NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, in)) {
+            return SamlServiceProviderDocument.fromXContent(documentId, parser);
+        } catch (IOException e) {
+            throw new UncheckedIOException("failed to parse document [" + documentId + "]", e);
+        }
+    }
+
+    @Override
+    public String toString() {
+        return getClass().getSimpleName() + "{alias=" + ALIAS_NAME + " [" + (aliasExists ? "exists" : "not-found") + "]}";
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/sp/SamlServiceProviderResolver.java

@@ -0,0 +1,151 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.idp.saml.sp;
+
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.common.cache.Cache;
+import org.elasticsearch.common.cache.CacheBuilder;
+import org.elasticsearch.common.settings.Setting;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.unit.TimeValue;
+import org.elasticsearch.common.util.iterable.Iterables;
+import org.elasticsearch.xpack.idp.privileges.ServiceProviderPrivileges;
+import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProviderIndex.DocumentSupplier;
+import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProviderIndex.DocumentVersion;
+import org.joda.time.ReadableDuration;
+import org.opensaml.security.x509.BasicX509Credential;
+import org.opensaml.security.x509.X509Credential;
+
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+public class SamlServiceProviderResolver {
+
+    private static final int CACHE_SIZE_DEFAULT = 1000;
+    private static final TimeValue CACHE_TTL_DEFAULT = TimeValue.timeValueMinutes(60);
+
+    public static final Setting<Integer> CACHE_SIZE
+        = Setting.intSetting("xpack.idp.sp.cache.size", CACHE_SIZE_DEFAULT, Setting.Property.NodeScope);
+    public static final Setting<TimeValue> CACHE_TTL
+        = Setting.timeSetting("xpack.idp.sp.cache.ttl", CACHE_TTL_DEFAULT, Setting.Property.NodeScope);
+
+    private final Cache<String, CachedServiceProvider> cache;
+    private final SamlServiceProviderIndex index;
+    private final ServiceProviderDefaults defaults;
+
+    public SamlServiceProviderResolver(Settings settings, SamlServiceProviderIndex index, ServiceProviderDefaults defaults) {
+        this.cache = CacheBuilder.<String, CachedServiceProvider>builder()
+            .setMaximumWeight(CACHE_SIZE.get(settings))
+            .setExpireAfterAccess(CACHE_TTL.get(settings))
+            .build();
+        this.index = index;
+        this.defaults = defaults;
+    }
+
+    /**
+     * Find a {@link SamlServiceProvider} by entity-id.
+     *
+     * @param listener Callback for the service provider object. Calls {@link ActionListener#onResponse} with a {@code null} value if the
+     *                 service provider does not exist.
+     */
+    public void resolve(String entityId, ActionListener<SamlServiceProvider> listener) {
+        index.findByEntityId(entityId, ActionListener.wrap(
+            documentSuppliers -> {
+                if (documentSuppliers.isEmpty()) {
+                    listener.onResponse(null);
+                    return;
+                }
+                if (documentSuppliers.size() > 1) {
+                    listener.onFailure(new IllegalStateException(
+                        "Found multiple service providers with entity ID [" + entityId
+                            + "] - document ids ["
+                            + documentSuppliers.stream().map(s -> s.version.id).collect(Collectors.joining(","))
+                            + "] in index [" + index + "]"));
+                    return;
+                }
+                final DocumentSupplier doc = Iterables.get(documentSuppliers, 0);
+                final CachedServiceProvider cached = cache.get(entityId);
+                if (cached != null && cached.documentVersion.equals(doc.version)) {
+                    listener.onResponse(cached.serviceProvider);
+                    return;
+                } else {
+                    populateCacheAndReturn(entityId, doc, listener);
+                }
+            },
+            listener::onFailure
+        ));
+
+    }
+
+    private void populateCacheAndReturn(String entityId, DocumentSupplier doc, ActionListener<SamlServiceProvider> listener) {
+        final SamlServiceProvider serviceProvider = buildServiceProvider(doc.document.get());
+        final CachedServiceProvider cacheEntry = new CachedServiceProvider(entityId, doc.version, serviceProvider);
+        cache.put(entityId, cacheEntry);
+        listener.onResponse(serviceProvider);
+    }
+
+    private SamlServiceProvider buildServiceProvider(SamlServiceProviderDocument document) {
+        final ServiceProviderPrivileges privileges = buildPrivileges(document.privileges);
+        final SamlServiceProvider.AttributeNames attributes = new SamlServiceProvider.AttributeNames(
+            document.attributeNames.principal, document.attributeNames.name, document.attributeNames.email, document.attributeNames.roles
+        );
+        final Set<X509Credential> credentials = document.certificates.getServiceProviderX509SigningCertificates()
+            .stream()
+            .map(BasicX509Credential::new)
+            .collect(Collectors.toUnmodifiableSet());
+
+        final URL acs = parseUrl(document);
+        String nameIdFormat = document.nameIdFormat;
+        if (nameIdFormat == null) {
+            nameIdFormat = defaults.nameIdFormat;
+        }
+
+        final ReadableDuration authnExpiry = Optional.ofNullable(document.getAuthenticationExpiry())
+            .orElse(defaults.authenticationExpiry);
+
+        final boolean signAuthnRequests = document.signMessages.contains(SamlServiceProviderDocument.SIGN_AUTHN);
+        final boolean signLogoutRequests = document.signMessages.contains(SamlServiceProviderDocument.SIGN_LOGOUT);
+
+        return new CloudServiceProvider(document.entityId, document.name, document.enabled, acs, nameIdFormat, authnExpiry,
+            privileges, attributes, credentials, signAuthnRequests, signLogoutRequests);
+    }
+
+    private ServiceProviderPrivileges buildPrivileges(SamlServiceProviderDocument.Privileges configuredPrivileges) {
+        final String resource = configuredPrivileges.resource;
+        final Map<String, String> roles = Optional.ofNullable(configuredPrivileges.roleActions).orElse(Map.of());
+        return new ServiceProviderPrivileges(defaults.applicationName, resource, roles);
+    }
+
+    private URL parseUrl(SamlServiceProviderDocument document) {
+        final URL acs;
+        try {
+            acs = new URL(document.acs);
+        } catch (MalformedURLException e) {
+            final ServiceProviderException exception = new ServiceProviderException(
+                "Service provider [{}] (doc {}) has an invalid ACS [{}]", e, document.entityId, document.docId, document.acs);
+            exception.setEntityId(document.entityId);
+            throw exception;
+        }
+        return acs;
+    }
+
+    private class CachedServiceProvider {
+        private final String entityId;
+        private final DocumentVersion documentVersion;
+        private final SamlServiceProvider serviceProvider;
+
+        private CachedServiceProvider(String entityId, DocumentVersion documentVersion, SamlServiceProvider serviceProvider) {
+            this.entityId = entityId;
+            this.documentVersion = documentVersion;
+            this.serviceProvider = serviceProvider;
+        }
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/sp/ServiceProviderDefaults.java

@@ -0,0 +1,59 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.idp.saml.sp;
+
+import org.elasticsearch.common.settings.Setting;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.unit.TimeValue;
+import org.joda.time.Duration;
+import org.joda.time.ReadableDuration;
+import org.opensaml.saml.saml2.core.NameID;
+
+import java.util.List;
+
+/**
+ * Defines default values for a service provider if they are not configured in {@link SamlServiceProviderDocument}
+ */
+public final class ServiceProviderDefaults {
+
+    public static final Setting<String> APPLICATION_NAME_SETTING
+        = Setting.simpleString("xpack.idp.privileges.application", Setting.Property.NodeScope);
+    public static final Setting<String> NAMEID_FORMAT_SETTING
+        = Setting.simpleString("xpack.idp.defaults.nameid_format", NameID.TRANSIENT, Setting.Property.NodeScope);
+    public static final Setting<TimeValue> AUTHN_EXPIRY_SETTING
+        = Setting.timeSetting("xpack.idp.defaults.authn_expiry", TimeValue.timeValueMinutes(5), Setting.Property.NodeScope);
+
+    public final String applicationName;
+    public final String nameIdFormat;
+    public final ReadableDuration authenticationExpiry;
+
+    public ServiceProviderDefaults(String applicationName,
+                                   String nameIdFormat,
+                                   ReadableDuration authenticationExpiry) {
+        this.applicationName = applicationName;
+        this.nameIdFormat = nameIdFormat;
+        this.authenticationExpiry = authenticationExpiry;
+    }
+
+    public static ServiceProviderDefaults forSettings(Settings settings) {
+        final String appplication = require(settings, APPLICATION_NAME_SETTING);
+        final String nameId = NAMEID_FORMAT_SETTING.get(settings);
+        final TimeValue expiry = AUTHN_EXPIRY_SETTING.get(settings);
+        return new ServiceProviderDefaults(appplication, nameId, Duration.millis(expiry.millis()));
+    }
+
+    private static <T> T require(Settings settings, Setting<T> setting) {
+        if (setting.exists(settings)) {
+            return setting.get(settings);
+        }
+        throw new IllegalStateException("Setting [" + setting.getKey() + "] must be configured");
+    }
+
+    public static List<Setting<?>> getSettings() {
+        return List.of(APPLICATION_NAME_SETTING, NAMEID_FORMAT_SETTING, AUTHN_EXPIRY_SETTING);
+    }
+}

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/sp/ServiceProviderException.java

@@ -0,0 +1,24 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.idp.saml.sp;
+
+import org.elasticsearch.ElasticsearchException;
+
+/**
+ * Indicates a configuration or execution problem specific to a SAML ServiceProvider
+ */
+public class ServiceProviderException extends ElasticsearchException {
+    public static final String ENTITY_ID = "es.idp.sp.entity_id";
+
+    public ServiceProviderException(String msg, Throwable cause, Object... args) {
+        super(msg, cause, args);
+    }
+
+    public void setEntityId(String entityId) {
+        super.addMetadata(ENTITY_ID, entityId);
+    }
+}