Docs

Log Users Out of SAML Identity Providers

To logout users from an external SAML identity provider, you must configure a SAML logout URL in the SAML connection settings. If you don't configure a logout URL, Auth0 will use the SAML login URL.

Auth0 will initiate a logout by sending a SAML logout request to the external identity provider if the federated query string parameter is included when redirecting the user to the logout endpoint.

The external SAML identity provider will need to know where to send SAML logout requests (if initiating the logout) and responses. The SingleLogout service URL that will consume this SAML messages is the following:

When viewing the logout metadata for your Auth0 Connection, you will notice two SingleLogoutService bindings with the above URL.

  • SAML Request Binding (also known as the Protocol Binding): Used for the transaction from Auth0 to the IdP. If the IdP provides a choice, select HTTP-Redirect.

  • SAML Response Binding: Used for transactions from the IdP to Auth0. It indicates to Auth0 what protocol the IdP will use to respond. If the IdP provides a choice, indicate that HTTP-POST should be used for Authentication Assertions.

Unable to Logout Using a SAML Identity Provider

When logging in (with Auth0 as the SAML Service Provider), the SAML identity provider uniquely identifies the user's session with a SessionIndex attribute in the AuthnStatement element of the SAML assertion. The SessionIndex value must be used again when the user logs out.

Occasionally, the SessionIndex value may not be present in the initial login assertion. When the user logs out, the request to the SAML identity provider will fail due to the missing value.

In these cases, Auth0 may not be able to complete a logout request to the SAML identity provider even if the logout URL has been configured correctly.

Keep reading