diff --git a/x-pack/docs/en/rest-api/security/saml-authenticate-api.asciidoc b/x-pack/docs/en/rest-api/security/saml-authenticate-api.asciidoc index 7f9a917d54645..aab0d14d3a14a 100644 --- a/x-pack/docs/en/rest-api/security/saml-authenticate-api.asciidoc +++ b/x-pack/docs/en/rest-api/security/saml-authenticate-api.asciidoc @@ -50,8 +50,12 @@ clients. See also (Required, array) A json array with all the valid SAML Request Ids that the caller of the API has for the current user. +`realm`:: + (Optional, string) The name of the realm that should authenticate the SAML response. + Useful in cases where many SAML realms are defined. + [[security-api-saml-authenticate-response-body]] -==== {api-response-body-title} +==== {api-response-body-title} `access_token`:: (string) The access token that was generated by {es}. @@ -61,6 +65,8 @@ clients. See also (integer) The amount of time (in seconds) left until the token expires. `refresh_token`:: (string) The refresh token that was generated by {es}. +`realm`:: + (string) The name of the realm that the user was authenticated by. [[security-api-saml-authenticate-example]] ==== {api-examples-title} @@ -87,7 +93,8 @@ The API returns the following response: "access_token" : "46ToAxZVaXVVZTVKOVF5YU04ZFJVUDVSZlV3", "username" : "Bearer", "expires_in" : 1200, - "refresh_token": "mJdXLtmvTUSpoLwMvdBt_w" + "refresh_token": "mJdXLtmvTUSpoLwMvdBt_w", + "realm": "saml1" } -------------------------------------------------- // NOTCONSOLE diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/saml/SamlAuthenticateResponse.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/saml/SamlAuthenticateResponse.java index aa11093236a0b..61b58d33544c3 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/saml/SamlAuthenticateResponse.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/saml/SamlAuthenticateResponse.java @@ -5,6 +5,7 @@ */ package org.elasticsearch.xpack.core.security.action.saml; +import org.elasticsearch.Version; import org.elasticsearch.action.ActionResponse; import org.elasticsearch.common.io.stream.StreamInput; import org.elasticsearch.common.io.stream.StreamOutput; @@ -21,18 +22,23 @@ public final class SamlAuthenticateResponse extends ActionResponse { private String principal; private String tokenString; private String refreshToken; + private String realm; private TimeValue expiresIn; public SamlAuthenticateResponse(StreamInput in) throws IOException { super(in); principal = in.readString(); + if (in.getVersion().onOrAfter(Version.V_8_0_0)) { + realm = in.readString(); + } tokenString = in.readString(); refreshToken = in.readString(); expiresIn = in.readTimeValue(); } - public SamlAuthenticateResponse(String principal, String tokenString, String refreshToken, TimeValue expiresIn) { + public SamlAuthenticateResponse(String principal, String realm, String tokenString, String refreshToken, TimeValue expiresIn) { this.principal = principal; + this.realm = realm; this.tokenString = tokenString; this.refreshToken = refreshToken; this.expiresIn = expiresIn; @@ -42,6 +48,10 @@ public String getPrincipal() { return principal; } + public String getRealm() { + return realm; + } + public String getTokenString() { return tokenString; } @@ -57,6 +67,9 @@ public TimeValue getExpiresIn() { @Override public void writeTo(StreamOutput out) throws IOException { out.writeString(principal); + if (out.getVersion().onOrAfter(Version.V_8_0_0)) { + out.writeString(realm); + } out.writeString(tokenString); out.writeString(refreshToken); out.writeTimeValue(expiresIn); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/saml/TransportSamlAuthenticateAction.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/saml/TransportSamlAuthenticateAction.java index 36b78b480c1b1..647af62e25373 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/saml/TransportSamlAuthenticateAction.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/saml/TransportSamlAuthenticateAction.java @@ -68,7 +68,8 @@ protected void doExecute(Task task, SamlAuthenticateRequest request, ActionListe tokenMeta, true, ActionListener.wrap(tuple -> { final TimeValue expiresIn = tokenService.getExpirationDelay(); listener.onResponse( - new SamlAuthenticateResponse(authentication.getUser().principal(), tuple.v1(), tuple.v2(), expiresIn)); + new SamlAuthenticateResponse(authentication.getUser().principal(), + authentication.getAuthenticatedBy().getName(), tuple.v1(), tuple.v2(), expiresIn)); }, listener::onFailure)); }, e -> { logger.debug(() -> new ParameterizedMessage("SamlToken [{}] could not be authenticated", saml), e); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/saml/RestSamlAuthenticateAction.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/saml/RestSamlAuthenticateAction.java index 94ead1b21532b..b3b3e660cb1fe 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/saml/RestSamlAuthenticateAction.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/saml/RestSamlAuthenticateAction.java @@ -97,6 +97,7 @@ public RestChannelConsumer innerPrepareRequest(RestRequest request, NodeClient c public RestResponse buildResponse(SamlAuthenticateResponse response, XContentBuilder builder) throws Exception { builder.startObject() .field("username", response.getPrincipal()) + .field("realm", response.getRealm()) .field("access_token", response.getTokenString()) .field("refresh_token", response.getRefreshToken()) .field("expires_in", response.getExpiresIn().seconds())