Auth0 SLO where Auth0 acts both IDP and SP

Hi @Vitalii.Djiguir, @edwin.capistrano. Apologies for the late answer, I missed your message and forgot to follow up on this.

As you know, Auth0 supports different “upstream” identity providers in addition to its own database connections. Some connections support logout and some don’t, with the added complexity that some support logout but don’t support redirection to a specific URL.

I can confirm that, as of now, Auth0 will not reach out to the upstream identity provider (a “federated” logout) if the original logout request was a SAML logout request (i.e. it came from a SAML service provider).
Auth0 will issue a logout request to the upstream IdP if the strategy supports it (that’s what the logout URL is for in SAML connections) when you use the /v2/logout endpoint with the ?federated option (see Logout). This endpoint is meant to be used by OAuth2/OIDC clients mostly. You can’t use it from a SAML relying party, though, because it does not do the SAML SLO (does not send a SAML logout request to all other participant service providers).

So, to sum up, regardless of the protocol used in the upstream connection,:

  • SAML logout requests from SPs will not cause a logout request to the upstream connection.
  • WS-Federation logout requests will cause a logout request to the upstream connection (if supported).
  • /v2/logout will cause a logout request to the upstream connection (when supported) if the federated parameter is used.

I do agree that the above behavior is somewhat inconsistent and could be improved. If this is something you need, I would encourage you to leave feedback at https://auth0.com/docs/feedback, as customers requests will help the Product team prioritize features.