Logout of SAML | Elasticsearch API documentation (v8)

Logout of SAML Generally available; Added in 7.5.0

POST /_security/saml/logout

Submits a request to invalidate an access token and refresh token.

NOTE: This API is intended for use by custom web applications other than Kibana. If you are using Kibana, refer to the documentation for configuring SAML single-sign-on on the Elastic Stack.

This API invalidates the tokens that were generated for a user by the SAML authenticate API. If the SAML realm in Elasticsearch is configured accordingly and the SAML IdP supports this, the Elasticsearch response contains a URL to redirect the user to the IdP that contains a SAML logout request (starting an SP-initiated SAML Single Logout).

External documentation

application/json

Body Required

token string Required

The access token that was returned as a response to calling the SAML authenticate API. Alternatively, the most recent token that was received after refreshing the original one by using a refresh_token.
refresh_token string

The refresh token that was returned as a response to calling the SAML authenticate API. Alternatively, the most recent refresh token that was received after refreshing the original access token.

Responses

200 application/json
Hide response attribute Show response attribute object
- redirect string Required
  
  A URL that contains a SAML logout request as a parameter. You can use this URL to be redirected back to the SAML IdP and to initiate Single Logout.

POST /_security/saml/logout

POST /_security/saml/logout { "token" : "46ToAxZVaXVVZTVKOVF5YU04ZFJVUDVSZlV3", "refresh_token" : "mJdXLtmvTUSpoLwMvdBt_w" }

resp = client.security.saml_logout( token="46ToAxZVaXVVZTVKOVF5YU04ZFJVUDVSZlV3", refresh_token="mJdXLtmvTUSpoLwMvdBt_w", )

const response = await client.security.samlLogout({ token: "46ToAxZVaXVVZTVKOVF5YU04ZFJVUDVSZlV3", refresh_token: "mJdXLtmvTUSpoLwMvdBt_w", });

response = client.security.saml_logout( body: { "token": "46ToAxZVaXVVZTVKOVF5YU04ZFJVUDVSZlV3", "refresh_token": "mJdXLtmvTUSpoLwMvdBt_w" } )

$resp = $client->security()->samlLogout([ "body" => [ "token" => "46ToAxZVaXVVZTVKOVF5YU04ZFJVUDVSZlV3", "refresh_token" => "mJdXLtmvTUSpoLwMvdBt_w", ], ]);

curl -X POST -H "Authorization: ApiKey $ELASTIC_API_KEY" -H "Content-Type: application/json" -d '{"token":"46ToAxZVaXVVZTVKOVF5YU04ZFJVUDVSZlV3","refresh_token":"mJdXLtmvTUSpoLwMvdBt_w"}' "$ELASTICSEARCH_URL/_security/saml/logout"

client.security().samlLogout(s -> s .refreshToken("mJdXLtmvTUSpoLwMvdBt_w") .token("46ToAxZVaXVVZTVKOVF5YU04ZFJVUDVSZlV3") );

Request example

Run `POST /_security/saml/logout` to invalidate the pair of tokens that were generated by calling the SAML authenticate API with a successful SAML response.

{ "token" : "46ToAxZVaXVVZTVKOVF5YU04ZFJVUDVSZlV3", "refresh_token" : "mJdXLtmvTUSpoLwMvdBt_w" }

Response examples (200)

A successful response from `POST /_security/saml/logout`.

{ "redirect" : "https://my-idp.org/logout/SAMLRequest=...." }