Universal Logout

Auth0 supports Universal Logout integrations with Okta Workforce Identity Cloud, which logs users out of applications when an administrative or security event occurs.

Universal Logout implements the Global Token Revocation specification, which goes beyond the established OpenID Connect back-channel logout standards by revoking refresh tokens in addition to user sessions. This comprehensive logout solution spans traditional web applications, single-page applications (SPAs), and native applications that use a mix of refresh tokens, application sessions, and identity provider sessions to get new tokens and keep the user logged in.

If you use the Okta, SAML, or OpenID Connect connection types to federate with Workforce Identity Cloud, you no longer need to build a global token revocation endpoint to work with Okta Universal Logout. You can instead provide Auth0’s connection-specific endpoint URL to the Okta Workforce administrator, and leverage Auth0’s OpenID Connect Back-Channel Logout to terminate application sessions if necessary.

The Auth0 global token revocation endpoint follows the profile documented at Build Logout for your app. It uses the iss_sub format to identify users in the logout request, and uses the following URL format:

https://{yourDomain}/oauth/global-token-revocation/connection/{yourConnectionName}

When Auth0 receives a request to log out a user, it validates the request using the same key set used to validate ID tokens or SAML assertions issued from Okta Workforce Identity Cloud. It then terminates all Auth0 sessions for the user, revokes Auth0-issued refresh tokens, and, if configured, triggers OpenID Connect Back-Channel Logout to revoke application sessions.

The time it takes for an application user to lose access depends on the application's type and how it is integrated with Auth0. Auth0 supports a wide range of application architectures via support for the OIDC and OAuth 2.0 identity standards and Auth0's Quickstarts and SDKs. This includes:

• Traditional Web applications that create their own application sessions may use refresh tokens and access tokens to access APIs through a secure backend.

• Browser-based JavaScript applications that leverage the Auth0 session layer or use techniques like refresh token rotation to get access tokens needed to access APIs within a Web browser.

• Native or Mobile applications that don’t run in a Web browser and use refresh tokens and access tokens as the primary method of keeping users signed in.

Applications using refresh tokens or leveraging Auth0 sessions get the following security benefits when the Universal Logout integration is enabled:

• For browser-based apps leveraging the Auth0 session, the user loses access the next time the application polls the Auth0 session, and Auth0 prompts the user to sign in again when redirected

• For apps that use refresh tokens, the user loses access as soon as their current access token expires, which ranges from a few seconds up to the maximum access token lifetime configured in Auth0.

For sessions created by web applications, you should use Auth0’s existing OpenID Connect Back-Channel Logout feature to terminate those sessions when Universal Logout terminates the Auth0 user session. To learn more, read the Auth0 SDK implementation examples.

Configure Universal Logout by the Auth0 connection type.

1. Connect your Auth0 tenant to Okta Workforce Identity Cloud.

2. In Auth0 Dashboard, navigate to Authentication > Enterprise > Okta Workforce. Select your connection and choose Settings.

3. Copy the Revocation Endpoint URL you will provide to the Okta Workforce administrator.

1. In Auth0 Dashboard, navigate to Authentication > Enterprise > OpenID Connect. Select your connection and choose Settings.

2. Copy the Revocation Endpoint URL you will provide to the Okta Workforce administrator.

1. Configure Okta as a SAML identity provider.

2. In Auth0 Dashboard, navigate to Authentication > Enterprise > SAML. Select your connection and choose Settings.

3. For Subject, enter the Application ID of the SAML application registered in Okta Workforce Identity Cloud. Example: 0oagcc12354688xxxx. To learn more, read How to Obtain an Application ID.

4. For Issuer, navigate to the registered SAML application in the Okta Workforce Identity Cloud organization and copy the issuer URI.

   To retrieve this value, WIC admins can navigate to the Applications > Applications > [Application] > Authentication > Sign-on settings > Sign-on methods > SAML 2.0 > More details section of the Okta portal.

5. Copy the Revocation Endpoint URL, which you will provide to the Okta Workforce administrator.

Configure Universal Logout in Okta Workforce Identity Cloud to send logout signals to the application using the Auth0 connection. This must be performed by an Okta administrator.

You need:

• An Okta Workforce Identity Cloud organization with Identity Threat Protection enabled, or a free trial.

• Early access to Universal Logout for Generic SAML and OIDC apps must be enabled for your Okta Workforce Identity Cloud organization. To learn more, read Configure Universal Logout for supported apps.

Enable Universal Logout in an Okta Workforce organization for the Auth0 connection.

1. In the Okta portal, select Applications > Applications.

2. Select the application you registered for the Auth0 integration.

3. Under the General tab, select Logout > Edit.

   

4. Choose Okta system or admin initiates logout.

5. Enter the URL copied from Auth0 in Logout Endpoint URL.

6. Select Issuer and Subject Identifier as the Subject Format.

7. Select Save.

Test Universal Logout in Okta Workforce Identity Cloud by revoking the sessions for a selected user.

1. In the Okta portal, select Directory > People.

2. Select a user that is signed into an Auth0 application.

3. Select More Actions > Clear User Sessions.

   

4. In the dialog, select Also include logout enabled apps and Okta API tokens.

5. Select Clear and Revoke.

Auth0 tenant administrators can view the status and details of each Universal Logout request Auth0 receives in Auth0 Dashboard > Monitoring > Logs. The emitted log event types for Universal Logout are documented in Log Event Type Codes.

You can also integrate with Custom Log Streams to notify external systems when Universal Logout events occur.

You can also use the Management API to configure Universal Logout programatically. This is useful for automating configurations or building your own configuration outside of the Auth0 Dashboard.

For Okta Workforce and OpenID Connections, no input into the Management API is required, as only the Auth0 global token revocation endpoint needs to be presented to the Okta Workforce administrator.

For SAML connections, in addition to sharing the endpoint URL, Universal Logout must be configured by setting these attributes on the connection object:

• options.global_token_revocation_jwt_iss - The issuer ID of the SAML application registered in Okta Workforce Identity Cloud. Example value: http://www.okta.com/exkhwkmkwhZUnuA6xxxx.

• options.global_token_revocation_jwt_sub - The application ID of the SAML application registered in Okta Workforce Identity Cloud. Example value: 0oagcc12354688xxxx.

You can use these attributes in Management API calls to update or create SAML connections. Review the following JSON example to create a request:

{
	"strategy": "samlp",
  	"name": "CONNECTION_NAME",
  	"options": {
    	"global_token_revocation_jwt_iss": "ISS_VALUE", 
     	"global_token_revocation_jwt_sub":  "SUB_VALUE",
    	"signInEndpoint": "SIGN_IN_ENDPOINT_URL",
    	"signOutEndpoint": "SIGN_OUT_ENDPOINT_URL",
    	"signatureAlgorithm": "rsa-sha256",
    	"digestAlgorithm": "sha256",
    	"fieldsMap": {
     		...
    	},
    	"signingCert": "BASE64_SIGNING_CERT"
  	}
}

To learn more, read Create an Enterprise connection using the Management API.