Return realm name in SAML Authenticate API

x-pack/docs/en/rest-api/security/saml-authenticate-api.asciidoc

@@ -50,8 +50,12 @@ clients. See also
   (Required, array) A json array with all the valid SAML Request Ids that the caller of
   the API has for the current user.
 
+`realm`::
+  (Optional, string) The name of the realm that should authenticate the SAML response.
+  Useful in cases where many SAML realms are defined.
+
 [[security-api-saml-authenticate-response-body]]
-==== {api-response-body-title}  
+==== {api-response-body-title}
 
 `access_token`::
   (string) The access token that was generated by {es}.
@@ -61,6 +65,8 @@ clients. See also
   (integer) The amount of time (in seconds) left until the token expires.
 `refresh_token`::
   (string) The refresh token that was generated by {es}.
+`realm`::
+  (string) The name of the realm that the user was authenticated by.
 
 [[security-api-saml-authenticate-example]]
 ==== {api-examples-title}
@@ -87,7 +93,8 @@ The API returns the following response:
   "access_token" : "46ToAxZVaXVVZTVKOVF5YU04ZFJVUDVSZlV3",
   "username" : "Bearer",
   "expires_in" : 1200,
-  "refresh_token": "mJdXLtmvTUSpoLwMvdBt_w"
+  "refresh_token": "mJdXLtmvTUSpoLwMvdBt_w",
+  "realm": "saml1"
 }
 --------------------------------------------------
 // NOTCONSOLE

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/saml/SamlAuthenticateResponse.java

@@ -5,6 +5,7 @@
  */
 package org.elasticsearch.xpack.core.security.action.saml;
 
+import org.elasticsearch.Version;
 import org.elasticsearch.action.ActionResponse;
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
@@ -21,18 +22,23 @@ public final class SamlAuthenticateResponse extends ActionResponse {
     private String principal;
     private String tokenString;
     private String refreshToken;
+    private String realm;
     private TimeValue expiresIn;
 
     public SamlAuthenticateResponse(StreamInput in) throws IOException {
         super(in);
         principal = in.readString();
+        if (in.getVersion().onOrAfter(Version.V_8_0_0)) {
+            realm = in.readString();
+        }
         tokenString = in.readString();
         refreshToken = in.readString();
         expiresIn = in.readTimeValue();
     }
 
-    public SamlAuthenticateResponse(String principal, String tokenString, String refreshToken, TimeValue expiresIn) {
+    public SamlAuthenticateResponse(String principal, String realm, String tokenString, String refreshToken, TimeValue expiresIn) {
         this.principal = principal;
+        this.realm = realm;
         this.tokenString = tokenString;
         this.refreshToken = refreshToken;
         this.expiresIn = expiresIn;
@@ -42,6 +48,10 @@ public String getPrincipal() {
         return principal;
     }
 
+    public String getRealm() {
+        return realm;
+    }
+
     public String getTokenString() {
         return tokenString;
     }
@@ -57,6 +67,9 @@ public TimeValue getExpiresIn() {
     @Override
     public void writeTo(StreamOutput out) throws IOException {
         out.writeString(principal);
+        if (out.getVersion().onOrAfter(Version.V_8_0_0)) {
+            out.writeString(realm);
+        }
         out.writeString(tokenString);
         out.writeString(refreshToken);
         out.writeTimeValue(expiresIn);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/saml/TransportSamlAuthenticateAction.java

@@ -68,7 +68,8 @@ protected void doExecute(Task task, SamlAuthenticateRequest request, ActionListe
                         tokenMeta, true, ActionListener.wrap(tuple -> {
                             final TimeValue expiresIn = tokenService.getExpirationDelay();
                             listener.onResponse(
-                                    new SamlAuthenticateResponse(authentication.getUser().principal(), tuple.v1(), tuple.v2(), expiresIn));
+                                new SamlAuthenticateResponse(authentication.getUser().principal(),
+                                    authentication.getAuthenticatedBy().getName(), tuple.v1(), tuple.v2(), expiresIn));
                         }, listener::onFailure));
             }, e -> {
                 logger.debug(() -> new ParameterizedMessage("SamlToken [{}] could not be authenticated", saml), e);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/saml/RestSamlAuthenticateAction.java

@@ -99,6 +99,7 @@ public RestChannelConsumer innerPrepareRequest(RestRequest request, NodeClient c
                     public RestResponse buildResponse(SamlAuthenticateResponse response, XContentBuilder builder) throws Exception {
                         builder.startObject()
                                 .field("username", response.getPrincipal())
+                                .field("realm", response.getRealm())
                                 .field("access_token", response.getTokenString())
                                 .field("refresh_token", response.getRefreshToken())
                                 .field("expires_in", response.getExpiresIn().seconds())