Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 8aca85bef9
Branches Tags
elasticsearch
/
x-pack
/
docs
/
en
/
rest-api
/
security
/
saml-prepare-authentication-api.asciidoc

saml-prepare-authentication-api.asciidoc 4.2 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798 
  1. [role="xpack"]
    2. 

  2. [[security-api-saml-prepare-authentication]]
    3. 

  3. === SAML prepare authentication API
    4. 

  4. 

  5. Creates a SAML authentication request (`<AuthnRequest>`) as a URL string, based on the configuration of the respective SAML realm in {es}.
    6. 

  6. 

  7. NOTE: This API is intended for use by custom web applications other than {kib}.
    8. 

  8. If you are using {kib}, see the <<saml-guide>>.
    9. 

  9. 

  10. [[security-api-saml-prepare-authentication-request]]
    11. 

  11. ==== {api-request-title}
    12. 

  12. 

  13. `POST /_security/saml/prepare`
    14. 

  14. 

  15. [[security-api-saml-prepare-authentication-desc]]
    16. 

  16. ==== {api-description-title}
    17. 

  17. 

  18. This API returns a URL pointing to the SAML Identity
    19. 

  19. Provider. You can use the URL to redirect the browser of the user in order to
    20. 

  20. continue the authentication process. The URL includes a single parameter named `SAMLRequest`,
    21. 

  21. which contains a SAML Authentication request that is deflated and
    22. 

  22. Base64 encoded. If the configuration dictates that SAML authentication requests
    23. 

  23. should be signed, the URL has two extra parameters named `SigAlg` and
    24. 

  24. `Signature`. These parameters contain the algorithm used for the signature and
    25. 

  25. the signature value itself.
    26. 

  26. It also returns a random string that uniquely identifies this SAML Authentication request. The
    27. 

  27. caller of this API needs to store this identifier as it needs to used in a following step of
    28. 

  28. the authentication process (see <<security-api-saml-authenticate,SAML authenticate API>>).
    29. 

  29. 

  30. {es} exposes all the necessary SAML related functionality via the SAML APIs.
    31. 

  31. These APIs are used internally by {kib} in order to provide SAML based
    32. 

  32. authentication, but can also be used by other custom web applications or other
    33. 

  33. clients. See also <<security-api-saml-authenticate,SAML authenticate API>>,
    34. 

  34. <<security-api-saml-invalidate,SAML invalidate API>>, and
    35. 

  35. <<security-api-saml-logout,SAML logout API>>.
    36. 

  36. 

  37. [[security-api-saml-prepare-authentication-request-body]]
    38. 

  38. ==== {api-request-body-title}
    39. 

  39. 

  40. `acs`::
    41. 

  41.   (Optional, string) The Assertion Consumer Service URL that matches the one of the SAML
    42. 

  42.   realms in {es}. The realm is used to generate the authentication request.
    43. 

  43.   You must specify either this parameter or the `realm` parameter.
    44. 

  44. 

  45. `realm`::
    46. 

  46.   (Optional, string) The name of the SAML realm in {es} for which the configuration is
    47. 

  47.   used to generate the authentication request. You must specify either this parameter or the `acs`
    48. 

  48.   parameter.
    49. 

  49. 

  50. [[security-api-saml-prepare-authentication-response-body]]
    51. 

  51. ==== {api-response-body-title}  
    52. 

  52. 

  53. `id`::
    54. 

  54.   (string) A unique identifier for the SAML Request to be stored by the caller
    55. 

  55.   of the API.
    56. 

  56. 

  57. `realm`::
    58. 

  58.   (string) The name of the {es} realm that was used to construct the
    59. 

  59.   authentication request.
    60. 

  60. 

  61. `redirect`::
    62. 

  62.   (string) The URL to redirect the user to.
    63. 

  63. 

  64. [[security-api-saml-prepare-authentication-example]]
    65. 

  65. ==== {api-examples-title}
    66. 

  66. 

  67. The following example generates a SAML authentication request for the SAML realm with name `saml1`
    68. 

  68. 

  69. [source,console]
    70. 

  70. --------------------------------------------------
    71. 

  71. POST /_security/saml/prepare
    72. 

  72. {
    73. 

  73.   "realm" : "saml1"
    74. 

  74. }
    75. 

  75. --------------------------------------------------
    76. 

  76. 

  77. The following example generates a SAML authentication request for the SAML realm with an Assertion
    78. 

  78. Consuming Service URL matching `https://kibana.org/api/security/saml/callback
    79. 

  79. 

  80. [source,console]
    81. 

  81. --------------------------------------------------
    82. 

  82. POST /_security/saml/prepare
    83. 

  83. {
    84. 

  84.   "acs" : "https://kibana.org/api/security/saml/callback"
    85. 

  85. }
    86. 

  86. --------------------------------------------------
    87. 

  87. 

  88. This API returns the following response:
    89. 

  89. 

  90. [source,js]
    91. 

  91. -------------------------------------------------
    92. 

  92. {
    93. 

  93.   "redirect": "https://my-idp.org/login?SAMLRequest=fVJdc6IwFP0rmbwDgUKLGbFDtc462%2B06FX3Yl50rBJsKCZsbrPbXL6J22hdfk%2FNx7zl3eL%2BvK7ITBqVWCfVdRolQuS6k2iR0mU2dmN6Phgh1FTQ8be2rehH%2FWoGWdESF%2FPST0NYorgElcgW1QG5zvkh%2FPfHAZbwx2upcV5SkiMLYzmqsFba1MAthdjIXy5enhL5a23DPOyo6W7kGBa7cwhZ2gO7G8OiW%2BR400kORt0bag7fzezAlk24eqcD2OxxlsNN5O3MdsW9c6CZnbq7rntF4d3s0D7BaHTZhIWN52P%2BcjiuGRbDU6cdj%2BEjJbJLQv4N4ADdhxBiEZbQuWclY4Q8iABbCXczCdSiKMAC%2FgyO2YqbQgrIJDZg%2FcFjsMD%2Fzb3gUcBa5sR%2F9oWR%2BzuJBqlPG14Jbn0DIf2TZ3Jn%2FXmSUrC5ddQB6bob37uZrJdeF4dIDHV3iuhb70Ptq83kOz53ubDLXlcwPJK0q%2FT42AqxIaAkVCkqm2tRgr49yfJGFU%2FZQ3hy3QyuUpd7obPv97kb%2FAQ%3D%3D"}",
    94. 

  94.   "realm": "saml1",
    95. 

  95.   "id": "_989a34500a4f5bf0f00d195aa04a7804b4ed42a1"
    96. 

  96. }
    97. 

  97. -------------------------------------------------
    98. 

  98. // NOTCONSOLE
    99.