SAML logout API

edit

Submits a request to invalidate an access token and refresh token.

This API is intended for use by custom web applications other than Kibana. If you are using Kibana, see the Configuring SAML single-sign-on on the Elastic Stack.

Request

edit

POST /_security/saml/logout

Description

edit

This API invalidates the tokens that were generated for a user by the SAML authenticate API.

If the SAML realm in Elasticsearch is configured accordingly and the SAML IdP supports this, the Elasticsearch response contains a URL to redirect the user to the IdP that contains a SAML logout request (starting an SP-initiated SAML Single Logout).

Elasticsearch exposes all the necessary SAML related functionality via the SAML APIs. These APIs are used internally by Kibana in order to provide SAML based authentication, but can also be used by other custom web applications or other clients. See also SAML authenticate API, SAML prepare authentication API, SAML invalidate API, and SAML complete logout API.

Request body

edit
token
(Required, string) The access token that was returned as a response to calling the SAML authenticate API. Alternatively, the most recent token that was received after refreshing the original one by using a refresh_token.
refresh_token
(Optional, string) The refresh token that was returned as a response to calling the SAML authenticate API. Alternatively, the most recent refresh token that was received after refreshing the original access token.

Response body

edit
redirect
(string) A URL that contains a SAML logout request as a parameter. The user can use this URL to be redirected back to the SAML IdP and to initiate Single Logout.

Examples

edit

The following example invalidates the pair of tokens that were generated by calling the SAML authenticate API with a successful SAML response:

resp = client.security.saml_logout(
    token="46ToAxZVaXVVZTVKOVF5YU04ZFJVUDVSZlV3",
    refresh_token="mJdXLtmvTUSpoLwMvdBt_w",
)
print(resp)
const response = await client.security.samlLogout({
  token: "46ToAxZVaXVVZTVKOVF5YU04ZFJVUDVSZlV3",
  refresh_token: "mJdXLtmvTUSpoLwMvdBt_w",
});
console.log(response);
POST /_security/saml/logout
{
  "token" : "46ToAxZVaXVVZTVKOVF5YU04ZFJVUDVSZlV3",
  "refresh_token" : "mJdXLtmvTUSpoLwMvdBt_w"
}

The API returns the following response:

{
  "redirect" : "https://my-idp.org/logout/SAMLRequest=...."
}