Auth0 as IDP - LogoutResponse certificate

Greetings everyone!

I couldn’t find any mention of this, so I must be setting something up badly. I am connecting my localhost SP to Auth0 acting like an IDP. I only have these settings on Auth0 (signingCert being the public signing certificate of my SP):

{
“logout”: {
“callback”: “https://com.com:3000/iamsvc/start_sp_logout_flow/callback”,
“slo_enabled”: true
},
“signingCert”: “MIIFuzCCA6OgAwIBAgIUDpTjUCoHDW7Hy5dKLlKYcNquo+swDQYJKoZIhvcNAQELBQAwbTELMAkGA1UEBhMCUlMxETAPBgNVBAgMCEJlbGdyYWRlMREwDwYDVQQHDAhCZWxncmFkZTEMMAoGA1UECgwDU0FQMRQwEgYDVQQLDAtDb21taXNzaW9uczEUMBIGA1UEAwwLQ29tbWlzc2lvbnMwHhcNMjAwMTIyMDkzNDQ2WhcNMjIwNzEwMDkzNDQ2WjBtMQswCQYDVQQGEwJSUzERMA8GA1UECAwIQmVsZ3JhZGUxETAPBgNVBAcMCEJlbGdyYWRlMQwwCgYDVQQKDANTQVAxFDASBgNVBAsMC0NvbW1pc3Npb25zMRQwEgYDVQQDDAtDb21taXNzaW9uczCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL3be7ykF0L7WoB79tVwfu8OosDzjXWdnXZB7x7DNVxtHP9p3l5NfM5B+p7NzVEe+FSJAmXxunxh/qF83bvbVzIv44Nq+MxSN4wwKoTDamPb92LPpHUaEzjeCc2xqoq+iherbzTHznok4KUzT8seZoNeLll/wXok5MzuLZ0LqGhmQLjUWfc7hNqOqv4Cn+9Nj6JX0T44BN5vlf6b2lgiBV+0wApWcAmCdJIbUAI11yYtPdcsLW/bzHB4A4WcKND/jUpNxNVXrRnrF/0yHcazbF8GWbOJpURSQ7h5jKqY0nSGi6U2wRWV5HUkNtOqqRDAygpMe5/1/Hu6kIkhGB0jgcyEyTR9jzQyHRx2ioCUI+HWpem0EAJJNERmVrDWfjzS7M4TdTg+d4ZWmKvVLoVsDJbD/T4JXb38f0WkxCpsXgelJqqH7l6AI64q2LwB3IandcS7TbeiqVFaqTGpmR0J5lghBLdzxwvOegQsikdJEiHPXmWKCO+Ukw9FcWT5Xubnwk/VObOO8S05bCtp/6hu0X282o+TzaT8xFzvHxQAnQVXpBapnZsdIJb3Y4GuuMfrcDTnwq8UKLpBlvenjqZ0TYMpUMBddZ3QphOtIAls2oBxGlZxBfQqBPkH3IEtsYO3v/Ti5SremdVT/OJN0vc44WU6dVqK/LBrtpV45mcTNaLjAgMBAAGjUzBRMB0GA1UdDgQWBBS4QX0ho+QIWFXRXV96LnSbb0ye5jAfBgNVHSMEGDAWgBS4QX0ho+QIWFXRXV96LnSbb0ye5jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCV0A2oRPCTHi/qZI4tM2hGsKHbPiGgnq9wIHXCENEkyfJZLM5UX9URM/R9r+kXQqh46nMW5+NyxfbrkeSW3HI8EK3gy0tpW4ZEQXLuly4iDl472LV3zc0mx8nzOTnIbQv1qOjbQ1PL5/u9XEhZx4Srsk8N6waQWj/QlkFhtLztKKbapdRiaQBX4KGNUf+e0QfB3Q3Pa7v/zJnR1algibDDGRVx00p03yR4Mv4ycPVdhqHYfqTuAjVhRJZeSd73g6UeqOBJLi4sC6NUkUgysI0bwy4ynGbJH5kGFTgSAV148aouny6eGQvAcKhIe/TzTripsuuotsqVMCaun+AlZpeCQeEym5E/gfZTlJRd40XT8qE1lKCfXVWE1hnzk2E1dtcg7YWyZL9EARptmBTYwLD+Q0SzeXUu8hjntt65TLKB+FAH1zy9cVTtu1vSf8v0GnpeeMzKwBgtcp36Gw+eMPCjpsJX0Ssd6K7c3BGqyoDzAtJv+yyIWsOYmuqY/2TXnNJS28C98j/jGUZPpSxOKzrmaxLTWc7xtucF5WP7G1sEJW9kPA8MjkrhiWw/MnRNKUsF5yLO7SmltrVwBKI1mzpCa5bm1ArJwenxLixAZiBqzhLhZXmOPFBXZQFh7I8G61GEv2ASoLBfUQ8WPMPMNbQ1Z2c8eu5HzOWOH+j0iaCqXA==”
}

Login works flawlessly, but SP initiated logout does not, because of a certificate mismatch. As a login response, Auth0 is using the certificate specified in Application settings -> Advanced -> Certificates (as well as Auth0 IDP metadata), but for a logout response it’s using a completely different certificate. I tried logging out multiple times and it always used that one, but it’s different from the login response.

I don’t want to blindly use the certificate provided in the response for validation, as that seems like a security issue.

Solving this issue would require either one of these things:

  • Use the same signing certificate from the metadata for both login and logout responses; or
  • Also list the other certificate in the IDP metadata, so my SP can know the origin.

Am I missing some crucial setting here?

Cheers,
Vlado