80 lines
2.8 KiB
Plaintext
80 lines
2.8 KiB
Plaintext
|
[role="xpack"]
|
||
|
[[security-api-saml-logout]]
|
||
|
=== SAML logout API
|
||
|
|
||
|
Submits a request to invalidate an access token and refresh token.
|
||
|
|
||
|
NOTE: This API is intended for use by custom web applications other than {kib}.
|
||
|
If you are using {kib}, see the <<saml-guide>>.
|
||
|
|
||
|
[[security-api-saml-logout-request]]
|
||
|
==== {api-request-title}
|
||
|
|
||
|
`POST /_security/saml/logout`
|
||
|
|
||
|
[[security-api-saml-logout-desc]]
|
||
|
==== {api-description-title}
|
||
|
|
||
|
This API invalidates the tokens that were generated for a user by the
|
||
|
<<security-api-saml-authenticate,SAML authenticate API>>.
|
||
|
|
||
|
If the SAML realm in {es} is configured accordingly and the SAML IdP supports
|
||
|
this, the {es} response contains a URL to redirect the user to the IdP
|
||
|
that contains a SAML logout request (starting an SP-initiated SAML Single Logout).
|
||
|
|
||
|
{es} exposes all the necessary SAML related functionality via the SAML APIs.
|
||
|
These APIs are used internally by {kib} in order to provide SAML based
|
||
|
authentication, but can also be used by other custom web applications or other
|
||
|
clients. See also <<security-api-saml-authenticate,SAML authenticate API>>,
|
||
|
<<security-api-saml-prepare-authentication,SAML prepare authentication API>>,
|
||
|
and <<security-api-saml-invalidate,SAML invalidate API>>.
|
||
|
|
||
|
[[security-api-saml-logout-request-body]]
|
||
|
==== {api-request-body-title}
|
||
|
|
||
|
`token`::
|
||
|
(Required, string) The access token that was returned as a response to calling the
|
||
|
<<security-api-saml-authenticate,SAML authenticate API>>. Alternatively, the most
|
||
|
recent token that was received after refreshing the original one by using a
|
||
|
`refresh_token`.
|
||
|
|
||
|
`refresh_token`::
|
||
|
(Optional, string) The refresh token that was returned as a response to calling the
|
||
|
<<security-api-saml-authenticate,SAML authenticate API>>. Alternatively, the
|
||
|
most recent refresh token that was received after refreshing the original access token.
|
||
|
|
||
|
[[security-api-saml-logout-response-body]]
|
||
|
==== {api-response-body-title}
|
||
|
|
||
|
`redirect`::
|
||
|
(string) A URL that contains a SAML logout request as a parameter. The user
|
||
|
can use this URL to be redirected back to the SAML IdP and to initiate Single
|
||
|
Logout.
|
||
|
|
||
|
[[security-api-saml-logout-example]]
|
||
|
==== {api-examples-title}
|
||
|
|
||
|
The following example invalidates the pair of tokens that were generated by
|
||
|
calling the <<security-api-saml-authenticate,SAML authenticate API>>
|
||
|
with a successful SAML response:
|
||
|
|
||
|
[source,console]
|
||
|
--------------------------------------------------
|
||
|
POST /_security/saml/logout
|
||
|
{
|
||
|
"token" : "46ToAxZVaXVVZTVKOVF5YU04ZFJVUDVSZlV3",
|
||
|
"refresh_token" : "mJdXLtmvTUSpoLwMvdBt_w"
|
||
|
}
|
||
|
--------------------------------------------------
|
||
|
// TEST[skip:can't test this without a valid SAML Response]
|
||
|
|
||
|
The API returns the following response:
|
||
|
|
||
|
[source,js]
|
||
|
--------------------------------------------------
|
||
|
{
|
||
|
"redirect" : "https://my-idp.org/logout/SAMLRequest=...."
|
||
|
}
|
||
|
--------------------------------------------------
|
||
|
// NOTCONSOLE
|