Invalidate SAML Added in 7.5.0

POST /_security/saml/invalidate

Submits a SAML LogoutRequest message to Elasticsearch for consumption.

application/json

Body Required

  • acs string

    The Assertion Consumer Service URL that matches the one of the SAML realm in Elasticsearch that should be used. You must specify either this parameter or the realm parameter.

  • query_string string Required

    The query part of the URL that the user was redirected to by the SAML IdP to initiate the Single Logout. This query should include a single parameter named SAMLRequest that contains a SAML logout request that is deflated and Base64 encoded. If the SAML IdP has signed the logout request, the URL should include two extra parameters named SigAlg and Signature that contain the algorithm used for the signature and the signature value itself. In order for Elasticsearch to be able to verify the IdP’s signature, the value of the query_string field must be an exact match to the string provided by the browser. The client application must not attempt to parse or process the string in any way.

  • realm string

    The name of the SAML realm in Elasticsearch the configuration. You must specify either this parameter or the acs parameter.

Responses

POST /_security/saml/invalidate
curl \
 -X POST http://api.example.com/_security/saml/invalidate \
 -H "Content-Type: application/json" \
 -d '{"acs":"string","query_string":"string","realm":"string"}'
Request examples
{
  "acs": "string",
  "query_string": "string",
  "realm": "string"
}
Response examples (200)
{
  "invalidated": 42.0,
  "realm": "string",
  "redirect": "string"
}