Log Users Out of SAML Identity Providers

Single Logout (SLO) is a feature that allows a user to terminate multiple authentication sessions by performing a single logout action.

Auth0 supports SLO when you connect your application to a SAML Identity Provider (IdP) and supports limited SLO when you configure Auth0 as a SAML IdP.

Configure SLO when application is connected to a SAML IdP

If you’d like Auth0 to log a user out of their identity provider, include the federated parameter when you call the Auth0 Authentication API Logout endpoint.

You may need to configure additional settings for the SAML connection to ensure that Auth0 sends the logout request to the SAML IdP's logout endpoint:

  1. Go to Auth0 Dashboard > Authentication > Enterprise > SAML and select your connection.

  2. Toggle on Enable Sign Out.

  3. Enter the SAML Logout URL provided by the SAML IdP in the Sign Out URL field. If you leave this field blank, Auth0 will default to the URL in the Sign In URL field.

  4. Confirm that the value in the Protocol Binding field matches the protocol binding expected by the SAML IdP.

Configure SLO when Auth0 is the SAML IdP

When Auth0 is the SAML IdP, there are two logout scenarios to consider:

  • Application-initiated

  • IdP-initiated

For both scenarios, you must configure the SAML2 Web App addon to know where to send logout responses:

  1. Go to Auth0 Dashboard > Applications > Applications and select your application.

  2. Navigate to the Addons tab and select SAML2 Web App.

  3. Go to the Settings tab.

  4. Locate the Settings box and add (or update) the logout object with the following properties:

    • callback: Enter the SLO URL of the application.

    • slo_enabled: Enter true if you would like to enable IdP-initiated SLO in which Auth0 sends a SAML logout request to the application when the user logs out of the Auth0 SAML IdP. Otherwise, enter false.

      {
        "logout": {
          "callback": "https://myapp.exampleco.com/saml/logout",
          "slo_enabled": true
        }
      }

      Was this helpful?

      /

By default, Auth0 sends SAML logout responses with the HTTP-POST protocol binding. If your application expects the HTTP-Redirect protocol binding, add (or update) the binding property like so:

{
  "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
}

Was this helpful?

/

Application-initiated logout

When the user initiates logout from an application, it must send a request to the Authentication API SAML Logout endpoint to trigger SLO.

If your application does not support SLO but does support a redirect URL to send the user to after logout, set the redirect URL to the Authentication API OIDC Logout endpoint (or the Authentication API Auth0 Logout endpoint if you're using legacy logout). Auth0 won't notify other session participants that a logout was initiated, but we will remove the user’s Auth0 session.

IdP-initiated logout

When a user initiates logout from an Auth0 SAML IdP, Auth0 sends a SAML logout response to the URL in the logout.callback property within the SAML2 Web App addon’s Settings. You can only specify a single URL for this property.

Due to this constraint, Auth0 does not natively support the scenario where a user needs to be signed out of multiple applications connected to your Auth0 SAML IdP.

You can achieve functionality similar to SLO by configuring your applications to regularly check the status of the user’s Auth0 session and terminate the application session accordingly. To learn more, read about Session Lifetime Limits.

Learn more