From 09773efb413c892d90c0c6df59d8bb5a0aa36513 Mon Sep 17 00:00:00 2001
From: Ioannis Kakavas <ioannis@elastic.co>
Date: Tue, 18 Feb 2020 17:16:24 +0200
Subject: [PATCH] [7.x] Return realm name in SAML Authenticate API (#52188)
 (#52465)

This is useful in cases where the caller of the API needs to know
the name of the realm that consumed the SAML Response and
authenticated the user and this is not self evident (i.e. because
there are many saml realms defined in ES).
Currently, the way to learn the realm name would be to make a
subsequent request to the `_authenticate` API.
---
 .../security/saml-authenticate-api.asciidoc       | 11 +++++++++--
 .../action/saml/SamlAuthenticateResponse.java     | 15 ++++++++++++++-
 .../saml/TransportSamlAuthenticateAction.java     |  3 ++-
 .../action/saml/RestSamlAuthenticateAction.java   |  1 +
 4 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/x-pack/docs/en/rest-api/security/saml-authenticate-api.asciidoc b/x-pack/docs/en/rest-api/security/saml-authenticate-api.asciidoc
index 7f9a917d54645..aab0d14d3a14a 100644
--- a/x-pack/docs/en/rest-api/security/saml-authenticate-api.asciidoc
+++ b/x-pack/docs/en/rest-api/security/saml-authenticate-api.asciidoc
@@ -50,8 +50,12 @@ clients. See also
   (Required, array) A json array with all the valid SAML Request Ids that the caller of
   the API has for the current user.
 
+`realm`::
+  (Optional, string) The name of the realm that should authenticate the SAML response.
+  Useful in cases where many SAML realms are defined.
+
 [[security-api-saml-authenticate-response-body]]
-==== {api-response-body-title}  
+==== {api-response-body-title}
 
 `access_token`::
   (string) The access token that was generated by {es}.
@@ -61,6 +65,8 @@ clients. See also
   (integer) The amount of time (in seconds) left until the token expires.
 `refresh_token`::
   (string) The refresh token that was generated by {es}.
+`realm`::
+  (string) The name of the realm that the user was authenticated by.
 
 [[security-api-saml-authenticate-example]]
 ==== {api-examples-title}
@@ -87,7 +93,8 @@ The API returns the following response:
   "access_token" : "46ToAxZVaXVVZTVKOVF5YU04ZFJVUDVSZlV3",
   "username" : "Bearer",
   "expires_in" : 1200,
-  "refresh_token": "mJdXLtmvTUSpoLwMvdBt_w"
+  "refresh_token": "mJdXLtmvTUSpoLwMvdBt_w",
+  "realm": "saml1"
 }
 --------------------------------------------------
 // NOTCONSOLE
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/saml/SamlAuthenticateResponse.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/saml/SamlAuthenticateResponse.java
index aa11093236a0b..ff1edfca2dc87 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/saml/SamlAuthenticateResponse.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/saml/SamlAuthenticateResponse.java
@@ -5,6 +5,7 @@
  */
 package org.elasticsearch.xpack.core.security.action.saml;
 
+import org.elasticsearch.Version;
 import org.elasticsearch.action.ActionResponse;
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
@@ -21,18 +22,23 @@ public final class SamlAuthenticateResponse extends ActionResponse {
     private String principal;
     private String tokenString;
     private String refreshToken;
+    private String realm;
     private TimeValue expiresIn;
 
     public SamlAuthenticateResponse(StreamInput in) throws IOException {
         super(in);
         principal = in.readString();
+        if (in.getVersion().onOrAfter(Version.V_7_7_0)) {
+            realm = in.readString();
+        }
         tokenString = in.readString();
         refreshToken = in.readString();
         expiresIn = in.readTimeValue();
     }
 
-    public SamlAuthenticateResponse(String principal, String tokenString, String refreshToken, TimeValue expiresIn) {
+    public SamlAuthenticateResponse(String principal, String realm, String tokenString, String refreshToken, TimeValue expiresIn) {
         this.principal = principal;
+        this.realm = realm;
         this.tokenString = tokenString;
         this.refreshToken = refreshToken;
         this.expiresIn = expiresIn;
@@ -42,6 +48,10 @@ public String getPrincipal() {
         return principal;
     }
 
+    public String getRealm() {
+        return realm;
+    }
+
     public String getTokenString() {
         return tokenString;
     }
@@ -57,6 +67,9 @@ public TimeValue getExpiresIn() {
     @Override
     public void writeTo(StreamOutput out) throws IOException {
         out.writeString(principal);
+        if (out.getVersion().onOrAfter(Version.V_7_7_0)) {
+            out.writeString(realm);
+        }
         out.writeString(tokenString);
         out.writeString(refreshToken);
         out.writeTimeValue(expiresIn);
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/saml/TransportSamlAuthenticateAction.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/saml/TransportSamlAuthenticateAction.java
index 36b78b480c1b1..647af62e25373 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/saml/TransportSamlAuthenticateAction.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/saml/TransportSamlAuthenticateAction.java
@@ -68,7 +68,8 @@ protected void doExecute(Task task, SamlAuthenticateRequest request, ActionListe
                         tokenMeta, true, ActionListener.wrap(tuple -> {
                             final TimeValue expiresIn = tokenService.getExpirationDelay();
                             listener.onResponse(
-                                    new SamlAuthenticateResponse(authentication.getUser().principal(), tuple.v1(), tuple.v2(), expiresIn));
+                                new SamlAuthenticateResponse(authentication.getUser().principal(),
+                                    authentication.getAuthenticatedBy().getName(), tuple.v1(), tuple.v2(), expiresIn));
                         }, listener::onFailure));
             }, e -> {
                 logger.debug(() -> new ParameterizedMessage("SamlToken [{}] could not be authenticated", saml), e);
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/saml/RestSamlAuthenticateAction.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/saml/RestSamlAuthenticateAction.java
index 3dbdb950d18b7..1ae7605e70759 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/saml/RestSamlAuthenticateAction.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/saml/RestSamlAuthenticateAction.java
@@ -98,6 +98,7 @@ public RestChannelConsumer innerPrepareRequest(RestRequest request, NodeClient c
                     public RestResponse buildResponse(SamlAuthenticateResponse response, XContentBuilder builder) throws Exception {
                         builder.startObject()
                                 .field("username", response.getPrincipal())
+                                .field("realm", response.getRealm())
                                 .field("access_token", response.getTokenString())
                                 .field("refresh_token", response.getRefreshToken())
                                 .field("expires_in", response.getExpiresIn().seconds())