Add examples for security SAML APIs

Author: lcawl

output/openapi/elasticsearch-openapi.json

@@ -669,9 +669,10 @@ security-api-suggest,https://www.elastic.co/guide/en/elasticsearch/reference/{br
 security-api-cross-cluster-key-update,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-update-cross-cluster-api-key.html
 security-api-update-key,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-update-api-key.html
 security-api-update-user-data,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-update-user-profile-data.html
-security-privileges,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-privileges.html
 security-api-update-settings,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-update-settings.html
 security-encrypt-internode,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-basic-setup.html#encrypt-internode-communication
+security-privileges,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-privileges.html
+security-saml-guide,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/saml-guide-stack.html
 service-accounts,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/service-accounts.html
 set-processor,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/set-processor.html
 shape,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/shape.html

output/schema/schema.json

@@ -23,17 +23,31 @@ import { Ids } from '@_types/common'
 /**
  * Authenticate SAML.
  *
- * Submits a SAML response message to Elasticsearch for consumption.
+ * Submit a SAML response message to Elasticsearch for consumption.
+ *
+ * NOTE: This API is intended for use by custom web applications other than Kibana.
+ * If you are using Kibana, refer to the documentation for configuring SAML single-sign-on on the Elastic Stack.
+ *
+ * The SAML message that is submitted can be:
+ *
+ * * A response to a SAML authentication request that was previously created using the SAML prepare authentication API.
+ * * An unsolicited SAML message in the case of an IdP-initiated single sign-on (SSO) flow.
+ *
+ * In either case, the SAML message needs to be a base64 encoded XML document with a root element of `<Response>`.
+ *
+ * After successful validation, Elasticsearch responds with an Elasticsearch internal access token and refresh token that can be subsequently used for authentication.
+ * This API endpoint essentially exchanges SAML responses that indicate successful authentication in the IdP for Elasticsearch access and refresh tokens, which can be used for authentication against Elasticsearch.
  * @rest_spec_name security.saml_authenticate
  * @availability stack since=7.5.0 stability=stable
  * @availability serverless stability=stable visibility=private
  * @doc_id security-api-saml-authenticate
+ * @ext_doc_id security-saml-guide
  */
 export interface Request extends RequestBase {
   body: {
-    /** The SAML response as it was sent by the user’s browser, usually a Base64 encoded XML document. */
+    /** The SAML response as it was sent by the user's browser, usually a Base64 encoded XML document. */
     content: string
-    /** A json array with all the valid SAML Request Ids that the caller of the API has for the current user. */
+    /** A JSON array with all the valid SAML Request Ids that the caller of the API has for the current user. */
     ids: Ids
     /** The name of the realm that should authenticate the SAML response. Useful in cases where many SAML realms are defined. */
     realm?: string

specification/_doc_ids/table.csv

@@ -21,10 +21,25 @@ import { integer } from '@_types/Numeric'
 
 export class Response {
   body: {
+    /**
+     * The access token that was generated by Elasticsearch.
+     */
     access_token: string
+    /**
+     * The authenticated user's name.
+     */
     username: string
+    /**
+     * The amount of time (in seconds) left until the token expires.
+     */
     expires_in: integer
+    /**
+     * The refresh token that was generated by Elasticsearch.
+     */
     refresh_token: string
+    /**
+     * The name of the realm where the user was authenticated.
+     */
     realm: string
   }
 }

specification/security/saml_authenticate/Request.ts

@@ -0,0 +1,10 @@
+# summary:
+# method_request: POST /_security/saml/authenticate
+description: >
+  Run `POST /_security/saml/authenticate` to exchange a SAML Response indicating a successful authentication at the SAML IdP for an Elasticsearch access token and refresh token to be used in subsequent requests.
+# type: request
+value: |-
+  {
+    "content" : "PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMD.....",
+    "ids" : ["4fee3b046395c4e751011e97f8900b5273d56685"]
+  }

specification/security/saml_authenticate/Response.ts

@@ -0,0 +1,12 @@
+# summary:
+description: A successful response from `POST /_security/saml/authenticate`.
+# type: response
+# response_code:
+value: |-
+  {
+    "access_token" : "46ToAxZVaXVVZTVKOVF5YU04ZFJVUDVSZlV3",
+    "username" : "Bearer",
+    "expires_in" : 1200,
+    "refresh_token": "mJdXLtmvTUSpoLwMvdBt_w",
+    "realm": "saml1"
+  }

specification/security/saml_authenticate/examples/request/RequestExample1.yaml

@@ -24,18 +24,30 @@ import { Ids } from '@_types/common'
  * Logout of SAML completely.
  *
  * Verifies the logout response sent from the SAML IdP.
+ *
+ * NOTE: This API is intended for use by custom web applications other than Kibana.
+ * If you are using Kibana, refer to the documentation for configuring SAML single-sign-on on the Elastic Stack.
+ *
+ * The SAML IdP may send a logout response back to the SP after handling the SP-initiated SAML Single Logout.
+ * This API verifies the response by ensuring the content is relevant and validating its signature.
+ * An empty response is returned if the verification process is successful.
+ * The response can be sent by the IdP with either the HTTP-Redirect or the HTTP-Post binding.
+ * The caller of this API must prepare the request accordingly so that this API can handle either of them.
  * @rest_spec_name security.saml_complete_logout
  * @availability stack since=7.14.0 stability=stable
  * @availability serverless stability=stable visibility=private
  * @doc_id security-api-saml-complete-logout
+ * @ext_doc_id security-saml-guide
  */
 export interface Request extends RequestBase {
   body: {
     /** The name of the SAML realm in Elasticsearch for which the configuration is used to verify the logout response. */
     realm: string
-    /**  A json array with all the valid SAML Request Ids that the caller of the API has for the current user. */
+    /**  A JSON array with all the valid SAML Request Ids that the caller of the API has for the current user. */
     ids: Ids
-    /** If the SAML IdP sends the logout response with the HTTP-Redirect binding, this field must be set to the query string of the redirect URI. */
+    /**
+     * If the SAML IdP sends the logout response with the HTTP-Redirect binding, this field must be set to the query string of the redirect URI.
+     */
     query_string?: string
     /** If the SAML IdP sends the logout response with the HTTP-Post binding, this field must be set to the value of the SAMLResponse form parameter from the logout response. */
     content?: string

specification/security/saml_authenticate/examples/response/ResponseExample1.yaml

@@ -20,5 +20,8 @@
 import { Void } from '@spec_utils/VoidValue'
 
 export class Response {
+  /**
+   * The API returns an empty response on success.
+   */
   body: Void
 }

specification/security/saml_complete_logout/Request.ts

@@ -0,0 +1,11 @@
+summary: HTTP-Redirect binding
+# method_request: POST /_security/saml/complete_logout
+description: >
+  Run `POST /_security/saml/complete_logout` to verify the logout response sent by the SAML IdP using the HTTP-Redirect binding.
+# type: request
+value: |-
+  {
+    "realm": "saml1",
+    "ids": [ "_1c368075e0b3..." ],
+    "query_string": "SAMLResponse=fZHLasMwEEVbfb1bf...&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=CuCmFn%2BLqnaZGZJqK..."
+  }