Document SAML APIs #45105
Merged
Document SAML APIs #45105
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This change adds documentation for the SAML APIs in Elasticsearch and adds simple instructions on how these APIs can be used to authenticate a user with SAML by a custom web application other than Kibana. Resolves: elastic#40352
jkakavas
added
>docs
|
Pinging @elastic/es-security |
|
Pinging @elastic/es-docs |
|
@elasticmachine update branch |
|
@elasticmachine test this please |
@elasticmachine run elasticsearch-ci/2 |
lcawl
reviewed
Aug 2, 2019
x-pack/docs/en/rest-api/security/saml-authenticate-api.asciidoc
Outdated
Show resolved
Hide resolved
lcawl
reviewed
Aug 2, 2019
x-pack/docs/en/rest-api/security/saml-authenticate-api.asciidoc
Outdated
Show resolved
Hide resolved
lcawl
reviewed
Aug 2, 2019
x-pack/docs/en/rest-api/security/saml-authenticate-api.asciidoc
Outdated
Show resolved
Hide resolved
lcawl
reviewed
Aug 2, 2019
lcawl
reviewed
Aug 2, 2019
lcawl
reviewed
Aug 2, 2019
lcawl
reviewed
Aug 2, 2019
lcawl
reviewed
Aug 2, 2019
lcawl
reviewed
Aug 2, 2019
lcawl
reviewed
Aug 2, 2019
lcawl
reviewed
Aug 2, 2019
|
@elasticmachine test this please |
tvernum
approved these changes
Oct 7, 2019
|
@lcawl is this ok to merge from your perspective too ? |
lcawl
reviewed
Oct 10, 2019
| @@ -853,3 +853,171 @@ A conscious effort has been made to mask this complexity with sane defaults and | |||
| documentation above but in case you encounter issues while configuring a SAML realm, you can | |||
| look through our {stack-ov}/trb-security-saml.html[SAML troubleshooting documentation] that has | |||
| suggestions and resolutions for common issues. | |||
|
|
|||
| === SAML without {kib} | |||
There was a problem hiding this comment.
If we don't specify an anchor here, our build makes one up, which is not reliable. I suggest:
Suggested change
| === SAML without {kib} | |
| [[saml-no-kibana]] | |
| === SAML without {kib} |
lcawl
reviewed
Oct 10, 2019
| for subsequent calls to {es}. The refresh token enables the user to get new {es} | ||
| access tokens after the current one expires. | ||
|
|
||
| ==== SAML realm |
There was a problem hiding this comment.
Likewise, we should have an anchor here too. Otherwise, it is currently defaulting to "_saml_realm". For example:
Suggested change
| ==== SAML realm | |
| [[saml-no-kibana-realm]] | |
| ==== SAML realm |
lcawl
reviewed
Oct 10, 2019
| You must create a SAML realm and configure it accordingly | ||
| in {es}. See <<saml-guide-authentication>> | ||
|
|
||
| ==== Service Account user for accessing the APIs |
There was a problem hiding this comment.
Likewise, this is defaulting to "_service_account_user_for_accessing_the_apis" for an anchor. I suggest explicitly setting it to something like this:
Suggested change
| ==== Service Account user for accessing the APIs | |
| [[saml-no-kibana-user]] | |
| ==== Service Account user for accessing the APIs |
lcawl
reviewed
Oct 10, 2019
| Response for that user, you can call the Authenticate API `/_security/_authenticate/` using the access token as a `Bearer` token | ||
| and the SAML attribute values will be contained in the response as part of the <<saml-user-metadata>>. | ||
|
|
||
|
|
There was a problem hiding this comment.
This section's URL defaults to "_handling_the_idp_initiated_authentication_flow", so I suggest setting it to something like this:
Suggested change
| [[saml-idp-init]] |
lcawl
reviewed
Oct 10, 2019
| // CONSOLE | ||
| // TEST[skip:handled in IT] | ||
|
|
||
| ==== Handling the logout flow |
There was a problem hiding this comment.
This section URL defaults to "_handling_the_logout_flow", I suggest something like this:
Suggested change
| ==== Handling the logout flow | |
| [[saml-logout]] | |
| ==== Handling the logout flow |
lcawl
reviewed
Oct 10, 2019
| Submits a SAML `Response` message to {es} for consumption. | ||
|
|
||
| NOTE: This API is intended for use by custom web applications other than {kib}. | ||
| If you are using {kib}, see the {stack-ov}/saml-guide.html[SAML guide]. |
There was a problem hiding this comment.
When this PR is rebased against master, you'll see that this content is all now in the elasticsearch repo for use in the Elasticsearch Reference, so the URLs should change as follows:
Suggested change
| If you are using {kib}, see the {stack-ov}/saml-guide.html[SAML guide]. | |
| If you are using {kib}, see the <<saml-guide>>. |
lcawl
reviewed
Oct 10, 2019
| as a `Bearer` token for subsequent requests and a refresh token that can be later used to refresh the given | ||
| access token as described in {ref}/security-api-get-token.html[get token API]. | ||
| as a `Bearer` token for subsequent requests and a refresh token that can be later used to refresh the given | ||
| access token as described in {ref}/security-api-get-token.html[get token API]. |
There was a problem hiding this comment.
Suggested change
| access token as described in {ref}/security-api-get-token.html[get token API]. | |
| access token as described in <<security-api-get-token,get token API>>. |
lcawl
reviewed
Oct 10, 2019
| . Make an HTTP POST request to `_security/saml/prepare`, authenticating as | ||
| the `saml-service-user` user. Use either the name of the SAML realm in the {es} configuration or the value for | ||
| the Assertion Consumer Service URL in the request body. | ||
| See the {ref}/security-api-saml-prepare-authentication.html[SAML prepare authentication API] for more details. |
There was a problem hiding this comment.
Suggested change
| See the {ref}/security-api-saml-prepare-authentication.html[SAML prepare authentication API] for more details. | |
| See the <<security-api-saml-prepare-authentication,SAML prepare authentication API>> for more details. |
lcawl
reviewed
Oct 10, 2019
| `_security/saml/authenticate` API. It must authenticate as the `saml-service-user` user and pass | ||
| the Base64 encoded SAML Response that was sent as the body of the request. It must also pass the value for `id` that it had saved in the user's session previously. | ||
| + | ||
| See {ref}/security-api-saml-authenticate.html[SAML authenticate API] for more details. |
There was a problem hiding this comment.
Suggested change
| See {ref}/security-api-saml-authenticate.html[SAML authenticate API] for more details. | |
| See <<security-api-saml-authenticate,SAML authenticate API>> for more details. |
lcawl
reviewed
Oct 10, 2019
| + | ||
| Elasticsearch will validate this and if all is correct will respond with an access token that can be used | ||
| as a `Bearer` token for subsequent requests. It also supplies a refresh token that can be later used to refresh the given | ||
| access token as described in {ref}/security-api-get-token.html[get token API]. |
There was a problem hiding this comment.
Suggested change
| access token as described in {ref}/security-api-get-token.html[get token API]. | |
| access token as described in <<security-api-get-token,get token API>>. |
lcawl
reviewed
Oct 10, 2019
|
|
||
| ==== Handling the logout flow | ||
| . At some point, if necessary, the custom web application can log the user out by using the | ||
| {ref}/security-api-saml-logout.html[SAML logout API] and passing the access token and refresh token as parameters. For example: |
There was a problem hiding this comment.
Suggested change
| {ref}/security-api-saml-logout.html[SAML logout API] and passing the access token and refresh token as parameters. For example: | |
| <<security-api-saml-logout,SAML logout API>> and passing the access token and refresh token as parameters. For example: |
lcawl
reviewed
Oct 10, 2019
| . Alternatively, the IdP might initiate the Single Logout flow at some point. In order to handle this, | ||
| the Logout URL (`sp.logout`) needs to be handled by the custom web app. The query part of the URL that the | ||
| user will be redirected to will contain a SAML Logout request and this query part needs to be relayed to {es} | ||
| using the {ref}/security-api-saml-invalidate.html[SAML invalidate API] |
There was a problem hiding this comment.
Suggested change
| using the {ref}/security-api-saml-invalidate.html[SAML invalidate API] | |
| using the <<security-api-saml-invalidate,SAML invalidate API>> |
jkakavas
added a commit
to jkakavas/elasticsearch
that referenced
this pull request
Oct 11, 2019
* Document SAML APIs This change adds documentation for the SAML APIs in Elasticsearch and adds simple instructions on how these APIs can be used to authenticate a user with SAML by a custom web application other than Kibana. Resolves: elastic#40352 * typo * fix links * fix more links * [DOCS] Fixes broken link * Add metadata file with shorter names for docs, fix typos and mute tests * [DOCS] Reformats the SAML APIs to match API template * Apply suggestions from code review Co-Authored-By: Lisa Cawley <[email protected]> * Address feedback and add small section on IdP-initiated SSO handling * address feedback * moar feedback * Clarifications and addressing feedback * properly resolve conflicts * address feedback * fix doc links * minor fixes * Fix reference
jkakavas
added a commit
that referenced
this pull request
Oct 11, 2019
howardhuanghua
pushed a commit
to TencentCloudES/elasticsearch
that referenced
this pull request
Oct 14, 2019
* Document SAML APIs This change adds documentation for the SAML APIs in Elasticsearch and adds simple instructions on how these APIs can be used to authenticate a user with SAML by a custom web application other than Kibana. Resolves: elastic#40352 * typo * fix links * fix more links * [DOCS] Fixes broken link * Add metadata file with shorter names for docs, fix typos and mute tests * [DOCS] Reformats the SAML APIs to match API template * Apply suggestions from code review Co-Authored-By: Lisa Cawley <[email protected]> * Address feedback and add small section on IdP-initiated SSO handling * address feedback * moar feedback * Clarifications and addressing feedback * properly resolve conflicts * address feedback * fix doc links * minor fixes * Fix reference
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change adds documentation for the SAML APIs in Elasticsearch
and adds simple instructions on how these APIs can be used to
authenticate a user with SAML by a custom web application other
than Kibana.
Resolves: #40352