elasticsearch-saml-metadata

Generate SAML metadata for a specific realm and print it to stdout

$ elasticsearch-saml-metadata --realm [realm_name]

$ elasticsearch-saml-metadata --realm [realm_name] --out [path/to/file.xml]

$ elasticsearch-saml-metadata [[-h|--help]]

elasticsearch-saml-metadata --url <url> --cert <path> --key <path> [options]

--url
    URL to Elasticsearch SAML metadata endpoint (required, e.g., https://localhost:9200/_security/saml/metadata/myrealm)

--cert
    Path to PEM-encoded certificate for signing metadata (required)

--key
    Path to PEM-encoded private key for signing metadata (required)

--key-password
    Password for decrypting the private key (if encrypted)

--output
    File path to write signed metadata XML (default: stdout)

--help
    Show help message and exit

--version
    Show tool version and exit

The elasticsearch-saml-metadata command is a utility included in Elasticsearch distributions to generate a signed XML metadata document for SAML service provider (SP) configuration. It connects to a running Elasticsearch cluster's SAML metadata endpoint (typically https://host:9200/_security/saml/metadata/<realm_name>), retrieves the unsigned metadata, signs it using a provided PEM-encoded certificate and private key, and outputs the result.

This metadata is essential for configuring SAML integration between Elasticsearch (as SP) and an external identity provider (IdP) like Okta, Azure AD, or PingFederate. The signing ensures trust and includes details like entity ID, assertion consumer service URLs, and the public certificate for signature validation.

Use cases include initial SAML setup or certificate rotations. The tool requires Elasticsearch Security features enabled (formerly X-Pack) and a configured SAML realm. Output is XML by default to stdout or a file, ready for upload to the IdP.

Requires a running Elasticsearch instance with Security enabled and a SAML realm configured. Endpoint must be accessible (often HTTPS). Certificate/key must match Elasticsearch realm config for IdP trust. Not for generating IdP metadata.

bin/elasticsearch-saml-metadata --url https://es.example.com:9200/_security/saml/metadata/default --cert /etc/elasticsearch/certs/sp.crt --key /etc/elasticsearch/certs/sp.key --output sp-metadata.xml

This fetches metadata from the 'default' realm, signs it, and saves to file.

Metadata can be fetched unsigned via curl https://host:9200/_security/saml/metadata/realm, but signing requires this tool for production IdP configs.

Introduced in Elasticsearch 6.3 with X-Pack SAML support; path changed to /_security/ in 8.x. Enhanced for better key handling in later versions.

curl(1), openssl(1)