Acasă Explorează Ajutor
Înregistrare Autentificare
lqb
/
elasticsearch
oglindă de https://gitee.com/mirrors/elasticsearch.git
1
0
Bifurcare 0
Fisiere Probleme 0 Wiki
Arbore: 442fc1f3b6
Ramuri Etichete
elasticsearch
/
docs
/
reference
/
rest-api
/
security
/
saml-prepare-authentication-api.asciidoc

saml-prepare-authentication-api.asciidoc 4.7 KB
Istoric Crud

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113 
  1. [role="xpack"]
    2. 

  2. [[security-api-saml-prepare-authentication]]
    3. 

  3. === SAML prepare authentication API
    4. 

  4. ++++
    5. 

  5. <titleabbrev>SAML prepare authentication</titleabbrev>
    6. 

  6. ++++
    7. 

  7. 

  8. .New API reference
    9. 

  9. [sidebar]
    10. 

  10. --
    11. 

  11. For the most up-to-date API details, refer to {api-es}/group/endpoint-security[Security APIs].
    12. 

  12. --
    13. 

  13. 

  14. Creates a SAML authentication request (`<AuthnRequest>`) as a URL string, based on the configuration of the respective SAML realm in {es}.
    15. 

  15. 

  16. NOTE: This API is intended for use by custom web applications other than {kib}.
    17. 

  17. If you are using {kib}, see the <<saml-guide-stack>>.
    18. 

  18. 

  19. [[security-api-saml-prepare-authentication-request]]
    20. 

  20. ==== {api-request-title}
    21. 

  21. 

  22. `POST /_security/saml/prepare`
    23. 

  23. 

  24. [[security-api-saml-prepare-authentication-desc]]
    25. 

  25. ==== {api-description-title}
    26. 

  26. 

  27. This API returns a URL pointing to the SAML Identity
    28. 

  28. Provider. You can use the URL to redirect the browser of the user in order to
    29. 

  29. continue the authentication process. The URL includes a single parameter named `SAMLRequest`,
    30. 

  30. which contains a SAML Authentication request that is deflated and
    31. 

  31. Base64 encoded. If the configuration dictates that SAML authentication requests
    32. 

  32. should be signed, the URL has two extra parameters named `SigAlg` and
    33. 

  33. `Signature`. These parameters contain the algorithm used for the signature and
    34. 

  34. the signature value itself.
    35. 

  35. It also returns a random string that uniquely identifies this SAML Authentication request. The
    36. 

  36. caller of this API needs to store this identifier as it needs to used in a following step of
    37. 

  37. the authentication process (see <<security-api-saml-authenticate,SAML authenticate API>>).
    38. 

  38. 

  39. {es} exposes all the necessary SAML related functionality via the SAML APIs.
    40. 

  40. These APIs are used internally by {kib} in order to provide SAML based
    41. 

  41. authentication, but can also be used by other custom web applications or other
    42. 

  42. clients. See also <<security-api-saml-authenticate,SAML authenticate API>>,
    43. 

  43. <<security-api-saml-invalidate,SAML invalidate API>>,
    44. 

  44. <<security-api-saml-logout,SAML logout API>>, and
    45. 

  45. <<security-api-saml-complete-logout, SAML complete logout API>>.
    46. 

  46. 

  47. [[security-api-saml-prepare-authentication-request-body]]
    48. 

  48. ==== {api-request-body-title}
    49. 

  49. 

  50. `acs`::
    51. 

  51.   (Optional, string) The Assertion Consumer Service URL that matches the one of the SAML
    52. 

  52.   realms in {es}. The realm is used to generate the authentication request.
    53. 

  53.   You must specify either this parameter or the `realm` parameter.
    54. 

  54. 

  55. `realm`::
    56. 

  56.   (Optional, string) The name of the SAML realm in {es} for which the configuration is
    57. 

  57.   used to generate the authentication request. You must specify either this parameter or the `acs`
    58. 

  58.   parameter.
    59. 

  59. 

  60. `relay_state`::
    61. 

  61.   (Optional, string) A string that will be included in the redirect URL that this API returns
    62. 

  62.   as the `RelayState` query parameter. If the Authentication Request is signed, this value is
    63. 

  63.   used as part of the signature computation.
    64. 

  64. 

  65. [[security-api-saml-prepare-authentication-response-body]]
    66. 

  66. ==== {api-response-body-title}
    67. 

  67. 

  68. `id`::
    69. 

  69.   (string) A unique identifier for the SAML Request to be stored by the caller
    70. 

  70.   of the API.
    71. 

  71. 

  72. `realm`::
    73. 

  73.   (string) The name of the {es} realm that was used to construct the
    74. 

  74.   authentication request.
    75. 

  75. 

  76. `redirect`::
    77. 

  77.   (string) The URL to redirect the user to.
    78. 

  78. 

  79. [[security-api-saml-prepare-authentication-example]]
    80. 

  80. ==== {api-examples-title}
    81. 

  81. 

  82. The following example generates a SAML authentication request for the SAML realm with name `saml1`
    83. 

  83. 

  84. [source,console]
    85. 

  85. --------------------------------------------------
    86. 

  86. POST /_security/saml/prepare
    87. 

  87. {
    88. 

  88.   "realm" : "saml1"
    89. 

  89. }
    90. 

  90. --------------------------------------------------
    91. 

  91. 

  92. The following example generates a SAML authentication request for the SAML realm with an Assertion
    93. 

  93. Consuming Service URL matching `https://kibana.org/api/security/saml/callback
    94. 

  94. 

  95. [source,console]
    96. 

  96. --------------------------------------------------
    97. 

  97. POST /_security/saml/prepare
    98. 

  98. {
    99. 

  99.   "acs" : "https://kibana.org/api/security/saml/callback"
    100. 

  100. }
    101. 

  101. --------------------------------------------------
    102. 

  102. 

  103. This API returns the following response:
    104. 

  104. 

  105. [source,js]
    106. 

  106. -------------------------------------------------
    107. 

  107. {
    108. 

  108.   "redirect": "https://my-idp.org/login?SAMLRequest=fVJdc6IwFP0rmbwDgUKLGbFDtc462%2B06FX3Yl50rBJsKCZsbrPbXL6J22hdfk%2FNx7zl3eL%2BvK7ITBqVWCfVdRolQuS6k2iR0mU2dmN6Phgh1FTQ8be2rehH%2FWoGWdESF%2FPST0NYorgElcgW1QG5zvkh%2FPfHAZbwx2upcV5SkiMLYzmqsFba1MAthdjIXy5enhL5a23DPOyo6W7kGBa7cwhZ2gO7G8OiW%2BR400kORt0bag7fzezAlk24eqcD2OxxlsNN5O3MdsW9c6CZnbq7rntF4d3s0D7BaHTZhIWN52P%2BcjiuGRbDU6cdj%2BEjJbJLQv4N4ADdhxBiEZbQuWclY4Q8iABbCXczCdSiKMAC%2FgyO2YqbQgrIJDZg%2FcFjsMD%2Fzb3gUcBa5sR%2F9oWR%2BzuJBqlPG14Jbn0DIf2TZ3Jn%2FXmSUrC5ddQB6bob37uZrJdeF4dIDHV3iuhb70Ptq83kOz53ubDLXlcwPJK0q%2FT42AqxIaAkVCkqm2tRgr49yfJGFU%2FZQ3hy3QyuUpd7obPv97kb%2FAQ%3D%3D"}",
    109. 

  109.   "realm": "saml1",
    110. 

  110.   "id": "_989a34500a4f5bf0f00d195aa04a7804b4ed42a1"
    111. 

  111. }
    112. 

  112. -------------------------------------------------
    113. 

  113. // NOTCONSOLE
    114.