Log Users Out of Identity Providers

Although this is not common practice, you can force the user to log out of their identity provider. For many providers, Auth0 provides this behavior by having you add the federated query string parameter to the redirect to the Logout endpoint. This redirects the user to their identity provider and logs them out there as well.

To do this, add a federated query string parameter to the logout URL:



  • No validation is performed on any URL provided as a value to the returnTo parameter, nor any query string or hash information provided as part of the URL.

  • The behavior of federated logouts with social providers is inconsistent. Each provider will handle the returnTo parameter differently and for some, it will not work. Please check your social provider's settings to determine how it will behave.

  • If you are working with social identity providers such as Google or Facebook, you must set your Client ID and Secret for these providers in the Dashboard for the logout to function properly.

  • If you are an Auth0 Enterprise user, you will typically have SSO enabled for multiple applications, for example, SharePoint, a few .NET applications, a few Java applications, Zendesk, etc. In this case, it's very common that when users sign out, this needs to happen for all of their applications.

Federated logout support

The following identity providers support federated logout:

  • Evernote

  • Facebook

  • Fitbit

  • GitHub

  • Google

    • Apps

    • OAuth 2.0

  • Microsoft

    • Active Directory Federation Services

    • Office 365

    • Windows Azure Active Directory

    • Windows Live

  • Salesforce/Salesforce Sandbox

  • Twitter

  • Yahoo

  • Yammer

Clear application session

The Auth0 Logout endpoint logs you out from Auth0 and, optionally, from your identity provider. It does not log you out of your application! This is something that you must implement on your side. You need to log out the user from your application by clearing their session.

Learn more