SAML complete logout API

edit

Verifies the logout response sent from the SAML IdP.

This API is intended for use by custom web applications other than Kibana. If you are using Kibana, see the Configuring SAML single-sign-on on the Elastic Stack.

Request

edit

POST /_security/saml/complete_logout

Description

edit

The SAML IdP may send a logout response back to the SP after handling the SP-initiated SAML Single Logout. This API verifies the response by ensuring the content is relevant and validating its signature. An empty response is returned if the verification process is successful. The response can be sent by the IdP with either the HTTP-Redirect or the HTTP-Post binding. The caller of this API must prepare the request accordingly so that this API can handle either of them.

Elasticsearch exposes all the necessary SAML related functionality via the SAML APIs. These APIs are used internally by Kibana in order to provide SAML based authentication, but can also be used by other custom web applications or other clients. See also SAML authenticate API, SAML prepare authentication API, SAML invalidate API, and SAML logout API.

Request body

edit
realm
(Required, string) The name of the SAML realm in Elasticsearch for which the configuration is used to verify the logout response.
ids
(Required, array) A json array with all the valid SAML Request Ids that the caller of the API has for the current user.
query_string
(Optional, string) If the SAML IdP sends the logout response with the HTTP-Redirect binding, this field must be set to the query string of the redirect URI.
queryString
[7.14.0] Deprecated in 7.14.0. Use query_string instead See query_string
content
(Optional, string) If the SAML IdP sends the logout response with the HTTP-Post binding, this field must be set to the value of the SAMLResponse form parameter from the logout response.

Examples

edit

The following example verifies the logout response sent by the SAML IdP using the HTTP-Redirect binding:

POST /_security/saml/complete_logout
{
  "realm": "saml1",
  "ids": [ "_1c368075e0b3..." ],
  "query_string": "SAMLResponse=fZHLasMwEEVbfb1bf...&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=CuCmFn%2BLqnaZGZJqK..."
}

If the logout response is sent with the HTTP-Post binding, it can be verified as the follows:

POST /_security/saml/complete_logout
{
  "realm": "saml1",
  "ids": [ "_1c368075e0b3..." ],
  "content": "PHNhbWxwOkxvZ291dFJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46..."
}

The API returns an empty response on success.