Log Users Out of Auth0 as the SAML Identity Provider
When integrating with a SAML identity provider, there are many ways to implement logout or user session termination.
SAML logout is configured differently depending on whether Auth0 acts as the service provider (when you create a SAML connection) the identity provider (when you have an application with the SAML2 Web App addon) or both.
Configure Auth0 APIs
When Auth0 is acting as a SAML Identity Provider, you can have the following two scenarios:
- Single logout
- Non-single logout
Create an API
SAML Single Logout (SLO) Scenario
After determining that your service provider supports SAML SLO, configure the service provider to call
https://YOUR_DOMAIN/samlp/CLIENT_ID/logout (also listed in the SAML IdP metadata).
When a logout request is triggered by the service provider, a logout request is sent to this endpoint. Auth0 starts the SAML SLO flow by notifying the existing session participants using a frontend channel.
Log into the Management Dashboard
Navigate to your Application's Addons page.
Click to open the SAML2 Web App addon.
In the Settings editor, uncomment the
logoutportion and update it with your callback URL:
To prevent a session participant from being notified, you can set
false in the
SAML2 Web App application addon's settings.
- Click Save.
For SAML-compliant endpoints, Auth0 uses this URL to send logout requests or logout responses (the exact choice depends on whether the service provider initiated the session or not). If you don't want to notify the service provider about a session termination, you can set the
slo_enabled key inside logout to
By default, SAML logout responses are sent using the HTTP-POST protocol binding. If you want to use HTTP-Redirect you can configure the
binding key to
Non-Single Logout Scenario
If your service provider does not support SAML SLO, but provides a redirect URL where the user will be redirected to after logging out of the service provider, configure the redirect URL to
https://YOUR_DOMAIN/v2/logout. This won't notify other session participants that a logout was initiated, but it will remove the session from Auth0.