Hi Tim,
Thanks for responding!
I do have a follow-up question on point 2 but first, let me explain how point 1 works in our case -
-
When a user accesses your application they would authenticate against AzureAD as normal
We are using C# and Angular on the front end and we would be using MSAL libraries to authenticate our users. For authentication, we are opening the Microsoft Authentication page for users so that they can use their Azure AD credentials to authenticate themselves. -
Then, you would use the Elasticsearch APIs to perform an additional authentication against an Elasticsearch SAML realm with Elasticsearch as the service provider and AzureAD as the Identity Provider.
When you say we would need to use the Elasticsearch APIs to perform an additional authentication, do you mean we will have to redirect the user to the Microsoft Authentication page again?
When I use a service account to prepare my realm for user authentication and execute the below request, It returns a redirect URL and the documentation says we need to redirect our application to this URL for authentication to happen.
POST /_security/oidc/prepare
{
"realm" : "oidc1"
}
{
"redirect" : "https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize?scope=openid+email&response_type=code&redirect_uri=https://xyz.azure.elastic.bain.com%3A9243%2Fapi%2Fsecurity%2Foidc%2Fcallback&state=zoTG-Iaj20hS9ag3TbRlae6woNtPv5mE1Elku6q5UVg&nonce=Y-BkrE2IE2LZ5MgKzKJZIZENrWdDAMty1DlHPk7bV5w&client_id={client_id}",
"state" : "zoTG-Iaj20hS9ag3TbRlae6woNtPv5mE1Elku6q5UVg",
"nonce" : "Y-BkrE2IE2LZ5MgKzKJZIZENrWdDAMty1DlHPk7bV5w",
"realm" : "oidc1"
}
You see, we have already redirected our users (on point 1) to authenticate themselves and if we follow this documentation we would have to redirect the users again. It would not be a very good user experience if we ask them to authenticate themselves twice for the same application.
Is there a way to authenticate users against the elastic realm without redirecting them again to the Microsoft authentication page as we have already authenticated the user (in point 1)?
Thanks in advance!