> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes how to log users out of an external SAML identity provider.

# Log Users Out of SAML Identity Providers

Single Logout (SLO) is a feature that allows a user to terminate multiple authentication sessions by performing a single logout action.

Auth0 supports SLO when you [connect your application to a SAML Identity Provider (IdP)](/docs/authenticate/identity-providers/enterprise-identity-providers/saml) and supports limited SLO when you [configure Auth0 as a SAML IdP](/docs/authenticate/single-sign-on/outbound-single-sign-on/configure-auth0-saml-identity-provider).

## Configure SLO when application is connected to a SAML IdP

If you’d like Auth0 to [log a user out of their identity provider](/docs/authenticate/login/logout/log-users-out-of-idps), include the `federated` parameter when you call the [Auth0 Authentication API Logout endpoint](https://auth0.com/docs/api/authentication#logout).

You may need to configure additional settings for the <Tooltip tip="Security Assertion Markup Language (SAML): Standardized protocol allowing two parties to exchange authentication information without a password." cta="View Glossary" href="/docs/glossary?term=SAML">SAML</Tooltip> connection to ensure that Auth0 sends the logout request to the SAML <Tooltip tip="Identity Provider (IdP): Service that stores and manages digital identities." cta="View Glossary" href="/docs/glossary?term=IdP">IdP</Tooltip>'s logout endpoint:

1. Go to [Auth0 Dashboard > Authentication > Enterprise > SAML](https://manage.auth0.com/#/connections/enterprise/samlp) and select your connection.
2. Toggle on **Enable Sign Out**.
3. Enter the SAML Logout URL provided by the SAML IdP in the **Sign Out URL** field. If you leave this field blank, Auth0 will default to the URL in the **Sign In URL** field.
4. Confirm that the value in the **Protocol Binding** field matches the protocol binding expected by the SAML IdP.

## Configure SLO when Auth0 is the SAML IdP

When Auth0 is the SAML IdP, there are two logout scenarios to consider:

* Application-initiated
* IdP-initiated

For both scenarios, you must [configure the SAML2 Web App addon](/docs/authenticate/protocols/saml/saml-sso-integrations/enable-saml2-web-app-addon) to know where to send logout responses:

1. Go to [Auth0 Dashboard > Applications > Applications](https://manage.auth0.com/#/applications) and select your application.
2. Navigate to the **Addons** tab and select **SAML2 Web App**.
3. Go to the **Settings** tab.
4. Locate the **Settings** box and add (or update) the `logout` object with the following properties:

   * `callback`: Enter the SLO URL of the application.
   * `slo_enabled`: Enter `true` if you would like to enable IdP-initiated SLO in which Auth0 sends a SAML logout request to the application when the user logs out of the Auth0 SAML IdP. Otherwise, enter `false`.

     ```bash cURL lines theme={null}
     {
       "logout": {
         "callback": "https://myapp.exampleco.com/saml/logout",
         "slo_enabled": true
       }
     }
     ```

By default, Auth0 sends SAML logout responses with the `HTTP-POST` protocol binding. If your application expects the `HTTP-Redirect` protocol binding, add (or update) the `binding` property like so:

```json JSON lines theme={null}
{
  "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
}
```

### Application-initiated logout

When the user initiates logout from an application, it must send a request to the Authentication API [SAML Logout endpoint](https://auth0.com/docs/api/authentication#saml-logout) to trigger SLO.

If your application does not support SLO but does support a redirect URL to send the user to after logout, set the redirect URL to the Authentication API [OIDC Logout endpoint](https://auth0.com/docs/api/authentication#oidc-logout) (or the Authentication API [Auth0 Logout endpoint](https://auth0.com/docs/api/authentication#auth0-logout) if you're using legacy logout). Auth0 won't notify other session participants that a logout was initiated, but we will remove the user’s [Auth0 session](/docs/manage-users/sessions/session-layers).

### IdP-initiated logout

When a user initiates logout from an Auth0 SAML IdP, Auth0 sends a SAML logout response to the URL in the `logout.callback` property within the SAML2 Web App addon’s Settings. You can only specify a single URL for this property.

Due to this constraint, Auth0 does not natively support the scenario where a user needs to be signed out of multiple applications connected to your Auth0 SAML IdP.

You can achieve functionality similar to SLO by configuring your applications to regularly check the status of the user’s Auth0 session and terminate the application session accordingly. To learn more, read about [Session Lifetime Limits](/docs/manage-users/sessions/session-lifetime-limits).

## Learn more

* [Log Users Out of Applications](/docs/authenticate/login/logout/log-users-out-of-applications)
* [Log Users Out of Auth0 with OIDC Endpoint](/docs/authenticate/login/logout/log-users-out-of-auth0)
* [Log Users Out of Identity Providers](/docs/authenticate/login/logout/log-users-out-of-idps)
* [Redirect Users with Alternative Logout](/docs/authenticate/login/logout/redirect-users-after-logout)