elasticsearch-saml-metadata

Generate SAML metadata for a specific realm and print it to stdout

$ elasticsearch-saml-metadata --realm [realm_name]

$ elasticsearch-saml-metadata --realm [realm_name] --out [path/to/file.xml]

$ elasticsearch-saml-metadata [[-h|--help]]

elasticsearch-saml-metadata --url es_cluster_url --saml-realm realm_name [--output file] [options]

--url es_cluster_url
    Specifies the URL of the Elasticsearch cluster (e.g., https://localhost:9200). This URL is used to derive the Entity ID and Assertion Consumer Service (ACS) URL within the generated SAML metadata. It must be an accessible endpoint of your Elasticsearch instance.

--saml-realm realm_name
    Mandatory. Defines the name of the SAML authentication realm configured in your elasticsearch.yml file for which the metadata should be generated. The specified realm must already exist and be active.

--output file
    Specifies the path to the output file where the SAML metadata XML will be written. If this option is omitted, the metadata will be printed to standard output (stdout).

--force
    Forces the command to overwrite the output file if it already exists, without prompting for confirmation.

--insecure
    Allows the command to connect to an Elasticsearch cluster even if its SSL/TLS certificate is untrusted (e.g., self-signed or expired). Use with caution in production environments.

--ca-cert file
    Specifies the path to a CA certificate bundle (.pem file) used to verify the SSL/TLS certificate of the Elasticsearch cluster. This is essential for secure connections when your Elasticsearch instance uses a trusted certificate.

--config file
    Specifies a path to a configuration file that provides command-line options. Options specified directly on the command line will override those in the file.

--username username
    Provides the username for authenticating with the Elasticsearch cluster, if basic authentication is required for accessing the security endpoint.

--password password
    Provides the password for the specified username when authenticating with the Elasticsearch cluster.

--help
    Displays a help message detailing the command's usage and available options.

The elasticsearch-saml-metadata command is a crucial utility provided by Elasticsearch for setting up SAML (Security Assertion Markup Language) authentication. It generates the Service Provider (SP) metadata XML file for a specific SAML realm configured in your Elasticsearch cluster. This metadata file contains essential information about the Elasticsearch SP, such as its entity ID, Assertion Consumer Service (ACS) URL, and signing certificate, which is then provided to your Identity Provider (IdP). The IdP uses this information to configure its side of the SAML integration, allowing it to correctly send authenticated assertions back to Elasticsearch. This command simplifies the complex process of creating the necessary XML metadata, ensuring interoperability between Elasticsearch and a wide range of SAML 2.0 compliant Identity Providers.

This command requires network connectivity to the Elasticsearch cluster.
The specified --url must be the exact URL that your Identity Provider (IdP) will use to reach Elasticsearch's Assertion Consumer Service.
The --saml-realm must be pre-configured in your elasticsearch.yml file before running this command.
Running this command may require appropriate privileges if the security endpoint is protected by basic authentication (e.g., a user with manage_security or monitor cluster privileges).

The elasticsearch-saml-metadata command was introduced as part of the X-Pack security features in Elasticsearch, enabling robust enterprise-grade authentication through SAML 2.0. Its development paralleled the increasing demand for seamless integration with corporate Identity Providers, simplifying the often complex process of SAML configuration by automating the generation of the Service Provider metadata XML, which is critical for establishing trust between Elasticsearch and an IdP.

elasticsearch-certutil(1), elasticsearch-users(1), elasticsearch-setup-passwords(1), bin/elasticsearch(1)