Log Users Out of SAML Identity Providers

When integrating with a SAML identity provider, there are many ways to implement logout or user session termination. SAML logout is configured differently depending on whether Auth0 acts as the service provider (using a SAML connection) or acts as the identity provider (when you have an application with the SAML2 Web App addon) or both.

When Auth0 is acting as a SAML IdP, you can have the following two scenarios:

  • Single logout

  • Non-single logout

To log users out of an external SAML identity provider, you must configure a SAML logout URL in the SAML connection settings. If you don't configure a logout URL, Auth0 will use the SAML login URL.

Auth0 will initiate a logout by sending a SAML logout request to the external identity provider if the federated querystring parameter is included when redirecting the user to the Logout endpoint.

The external SAML identity provider will need to know where to send SAML logout requests (if initiating the logout) and responses. The SingleLogout service URL that will consume this SAML messages is the following:

https://YOUR_DOMAIN/logout

When viewing the logout metadata for your Auth0 Connection, you will notice two SingleLogoutService bindings with the above URL.

  • SAML Request Binding (also known as the Protocol Binding): Used for the transaction from Auth0 to the IdP. If the IdP provides a choice, select HTTP-Redirect.

  • SAML Response Binding: Used for transactions from the IdP to Auth0. It indicates to Auth0 what protocol the IdP will use to respond. If the IdP provides a choice, indicate that HTTP-POST should be used for Authentication Assertions.

Redirecting users to the Auth0 Logout endpoint does not cover all scenarios where users need to be signed out of all of the applications they use. Other than when Auth0 is using SAML, Auth0 does not natively support single logout (SLO). SLO can be achieved by having each application check the active session after their tokens expire, or you can force log out by terminating your application sessions at the application level.

You can configure Single Logout URLs for SAML that can log out of all SAML sessions, although Auth0 supports front-channel SAML SLO only, Auth0 does not support back-channel SLO.

Auth0 provides quickstart guides that show you how to implement logout functionality in your specific type of application and provides sample code. These quickstarts support native/mobile apps, single-page apps, and web apps.

SAML single logout scenarios

After determining that your service provider supports SAML SLO, configure the service provider to call https://YOUR_DOMAIN/samlp/CLIENT_ID/logout (also listed in the SAML IdP metadata).

When a logout request is triggered by the service provider, a SAML logout request is sent to this endpoint. Auth0 starts the SAML SLO flow by notifying the existing session participants using a frontend channel.

  1. Log in to the Management Dashboard

  2. Navigate to your Application's Addons page.

  3. Click to open the SAML2 Web App addon.

  4. In the Settings editor, uncomment the logout portion and update it with your callback URL:

      "logout": {
        "callback": "CALLBACK_URL"
      }
    
    
    To prevent a session participant from being notified, you can set logout.slo_enabled to false in the SAML2 Web App application addon's settings.

  5. Click Save.

For SAML-compliant endpoints, Auth0 uses this URL to send SAML logout requests or logout responses (the exact choice depends on whether the service provider initiated the session or not). If you don't want to notify the service provider about a session termination, you can set the slo_enabled key inside logout to false:

"logout": {
  "callback": "CALLBACK_URL",
  "slo_enabled": false
}

By default, SAML logout responses are sent using the HTTP-POST protocol binding. If you want to use HTTP-Redirect you can configure the binding key to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect:

"logout": {
  "callback": "CALLBACK_URL"
},
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"

Non-Single Logout Scenario

If your service provider does not support SAML SLO, but provides a redirect URL where the user will be redirected to after logging out of the service provider, configure the redirect URL to https://YOUR_DOMAIN/v2/logout. This won't notify other session participants that a logout was initiated, but it will remove the session from Auth0.

Unable to logout using SAML IdP

When logging in (with Auth0 as the SAML Service Provider), the SAML identity provider uniquely identifies the user's session with a SessionIndex attribute in the AuthnStatement element of the SAML assertion. The SessionIndex value must be used again when the user logs out.

Occasionally, the SessionIndex value may not be present in the initial login assertion. When the user logs out, the request to the SAML identity provider will fail due to the missing value.

In these cases, Auth0 may not be able to complete a logout request to the SAML identity provider even if the logout URL has been configured correctly.

Learn more