From 8d6725c35a60a9ff40726048f3703a1c320852fc Mon Sep 17 00:00:00 2001
From: piotrsulkowski-elastic <piotr.sulkowski@elastic.co>
Date: Mon, 8 Dec 2025 19:50:56 +0000
Subject: [PATCH] Add in_response_to field to SAML response

Adds a new field in the response of SAML
authentication request, reflecting recent
change in elasticsearch

Closes elastic/elasticsearch#128179
---
 output/openapi/elasticsearch-openapi.json        |  6 +++++-
 output/schema/schema.json                        | 16 ++++++++++++++--
 output/typescript/types.ts                       |  1 +
 .../security/saml_authenticate/Response.ts       |  4 ++++
 .../SamlAuthenticateResponseExample1.yaml        |  3 ++-
 5 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/output/openapi/elasticsearch-openapi.json b/output/openapi/elasticsearch-openapi.json
index 66409f5c2e..1f8bc0be1d 100644
--- a/output/openapi/elasticsearch-openapi.json
+++ b/output/openapi/elasticsearch-openapi.json
@@ -44851,6 +44851,10 @@
                     "realm": {
                       "description": "The name of the realm where the user was authenticated.",
                       "type": "string"
+                    },
+                    "in_response_to": {
+                      "description": "The id of the request that initiated the authentication process.",
+                      "type": "string"
                     }
                   },
                   "required": [
@@ -44864,7 +44868,7 @@
                 "examples": {
                   "SamlAuthenticateResponseExample1": {
                     "description": "A successful response from `POST /_security/saml/authenticate`.",
-                    "value": "{\n  \"access_token\" : \"46ToAxZVaXVVZTVKOVF5YU04ZFJVUDVSZlV3\",\n  \"username\" : \"Bearer\",\n  \"expires_in\" : 1200,\n  \"refresh_token\": \"mJdXLtmvTUSpoLwMvdBt_w\",\n  \"realm\": \"saml1\"\n}"
+                    "value": "{\n  \"access_token\" : \"46ToAxZVaXVVZTVKOVF5YU04ZFJVUDVSZlV3\",\n  \"username\" : \"Bearer\",\n  \"expires_in\" : 1200,\n  \"refresh_token\": \"mJdXLtmvTUSpoLwMvdBt_w\",\n  \"realm\": \"saml1\",\n  \"in_response_to\": \"4fee3b046395c4e751011e97f8900b5273d56685\"\n}"
                   }
                 }
               }
diff --git a/output/schema/schema.json b/output/schema/schema.json
index 56b05ddd45..eac7f65b65 100644
--- a/output/schema/schema.json
+++ b/output/schema/schema.json
@@ -256356,20 +256356,32 @@
                 "namespace": "_builtins"
               }
             }
+          },
+          {
+            "description": "The id of the request that initiated the authentication process.",
+            "name": "in_response_to",
+            "required": false,
+            "type": {
+              "kind": "instance_of",
+              "type": {
+                "name": "string",
+                "namespace": "_builtins"
+              }
+            }
           }
         ]
       },
       "examples": {
         "SamlAuthenticateResponseExample1": {
           "description": "A successful response from `POST /_security/saml/authenticate`.",
-          "value": "{\n  \"access_token\" : \"46ToAxZVaXVVZTVKOVF5YU04ZFJVUDVSZlV3\",\n  \"username\" : \"Bearer\",\n  \"expires_in\" : 1200,\n  \"refresh_token\": \"mJdXLtmvTUSpoLwMvdBt_w\",\n  \"realm\": \"saml1\"\n}"
+          "value": "{\n  \"access_token\" : \"46ToAxZVaXVVZTVKOVF5YU04ZFJVUDVSZlV3\",\n  \"username\" : \"Bearer\",\n  \"expires_in\" : 1200,\n  \"refresh_token\": \"mJdXLtmvTUSpoLwMvdBt_w\",\n  \"realm\": \"saml1\",\n  \"in_response_to\": \"4fee3b046395c4e751011e97f8900b5273d56685\"\n}"
         }
       },
       "name": {
         "name": "Response",
         "namespace": "security.saml_authenticate"
       },
-      "specLocation": "security/saml_authenticate/Response.ts#L22-L45"
+      "specLocation": "security/saml_authenticate/Response.ts#L22-L49"
     },
     {
       "kind": "request",
diff --git a/output/typescript/types.ts b/output/typescript/types.ts
index acc732a7b5..abcc0c6aca 100644
--- a/output/typescript/types.ts
+++ b/output/typescript/types.ts
@@ -21669,6 +21669,7 @@ export interface SecuritySamlAuthenticateResponse {
   expires_in: integer
   refresh_token: string
   realm: string
+  in_response_to?: string
 }
 
 export interface SecuritySamlCompleteLogoutRequest extends RequestBase {
diff --git a/specification/security/saml_authenticate/Response.ts b/specification/security/saml_authenticate/Response.ts
index 3acbf6117e..8701ced542 100644
--- a/specification/security/saml_authenticate/Response.ts
+++ b/specification/security/saml_authenticate/Response.ts
@@ -41,5 +41,9 @@ export class Response {
      * The name of the realm where the user was authenticated.
      */
     realm: string
+    /**
+     * The id of the request that initiated the authentication process.
+     */
+    in_response_to?: string
   }
 }
diff --git a/specification/security/saml_authenticate/examples/response/SamlAuthenticateResponseExample1.yaml b/specification/security/saml_authenticate/examples/response/SamlAuthenticateResponseExample1.yaml
index 3ae3fd4e7b..a041e379df 100644
--- a/specification/security/saml_authenticate/examples/response/SamlAuthenticateResponseExample1.yaml
+++ b/specification/security/saml_authenticate/examples/response/SamlAuthenticateResponseExample1.yaml
@@ -8,5 +8,6 @@ value: |-
     "username" : "Bearer",
     "expires_in" : 1200,
     "refresh_token": "mJdXLtmvTUSpoLwMvdBt_w",
-    "realm": "saml1"
+    "realm": "saml1",
+    "in_response_to": "4fee3b046395c4e751011e97f8900b5273d56685"
   }