Description

Prerequisite of elastic/kibana#218925

Overview

We want to differentiate when there is an SP-initiated SAML login with a response that is missing the intermediate cookie. This scenario occurs due to lax-allowing-unsafe mode (docs) when the user is stuck or stays at the IDP for >2 mins. This exceeds the time limit, and the browser will not include the cookie in the final POST request to the SAML callback endpoint. This scenario manifests in the ES logs as:
Provided SAML response is not valid for realm saml/xxx (Caused by org.elasticsearch.ElasticsearchSecurityException: SAML content is in-response-to [_xxxxxxx] but expected one of [])

Request

The ask is to expose specific failure information to Kibana in this circumstance via a new field in the SAML callback JSON response.

Additional notes

Paraphrased from Oleg...
Does ES ignore any request IDs we pass for SAML responses that are results of an IdP-initiated login and don't have any request IDs associated with them?
If so, we'd need just one error code since this code can only be returned for SAML responses that were generated during an SP-initiated flow. In that scenario, either Kibana didn't provide any request IDs or it provided some, but none of them matched what was in the SAML response. We could then distinguish these two cases internally since we know whether we sent any request IDs or not.

Initially, we thought we might need two separate codes - one for a missing ID when it's required, and another for an ID mismatch when an ID is required and the client provided some, but none of them matched. However, if it's only relevant to the SP-initiated flows, then we can also distinguish these cases on our end.