Log Users Out of Applications

Enterprise users typically have Single Sign-on (SSO) enabled for multiple applications (e.g., SharePoint, a few .NET applications, a few Java applications, Zendesk). In this case, when users sign out, often they must be signed out for all of their applications.

The Auth0 RP-initiated logout endpoint works in one of two ways:

  • Invalidates the Single Sign-on (SSO) cookie in Auth0. (The cookie still remains in the browser.)

  • Signs the user out from the identity provider (IdP) (such as ADFS or Google).

Redirecting users to the logout endpoint does not cover the scenario where users need to be signed out of all of the applications they used. If you need to provide this functionality you will have to handle this in one of two ways:

  • Have short timeouts on your local session and redirect to Auth0 at short intervals to re-authenticate. This can be done by calling checkSession from the client which does this redirect in a hidden iFrame. If you take the hidden iFrame approach you need to be aware of rate limits and third-party cookie issues.

  • Handle this entirely at the application level by providing your applications a way to notify all other applications when a logout occurs.

If you are using the alternative logout endpoint, review the API documentation.

Learn more