Auth0 SLO where Auth0 acts both IDP and SP

auth0

Our Auth0 implementation acts as follows:

  1. SP for a 3rd party SAML IDP
  2. IDP for all our SPs

We would like to do and SP-initiated SLO from one of our SP, let say from Service Provider 1, while Service Provider 2 and Service Provider 3 are also participating in the SAML session.

We would like the accomplish the following:

  1. Log off all SPs (SP1, SP2, … SPN) participating in the SAML session
  2. After #1 is done, Auth0 sends and SLO request to the 3rd party IDP

How can we accomplish this flow in Auth0?

Hi Edwin.
If I’m not mistaken, as of now Auth0 will do #1, but not #2.
I tried the scenario #1, however, and something is not working for me (I get a final PartialLogout error from the IdP Auth0 to the SP that initiated the logout). Have you tried this on your side?

Hi Nicolas,

Edwin’s coworker here…providing an update for community awareness.

We did make #1 work properly. #2 is still evading us. We have also opened a support ticket and linked this post to it. What is unclear right now is the fact that SAML Enterprise Connection allows for SAML Single Logout URL but it doesn’t seem to be used or we yet to find a way to make Auth0 use it.
If we get any further traction on the support ticket, we will update this post with a solution.

Hi @Vitalii.Djiguir, @edwin.capistrano. Apologies for the late answer, I missed your message and forgot to follow up on this.

As you know, Auth0 supports different “upstream” identity providers in addition to its own database connections. Some connections support logout and some don’t, with the added complexity that some support logout but don’t support redirection to a specific URL.

I can confirm that, as of now, Auth0 will not reach out to the upstream identity provider (a “federated” logout) if the original logout request was a SAML logout request (i.e. it came from a SAML service provider).
Auth0 will issue a logout request to the upstream IdP if the strategy supports it (that’s what the logout URL is for in SAML connections) when you use the /v2/logout endpoint with the ?federated option (see Logout). This endpoint is meant to be used by OAuth2/OIDC clients mostly. You can’t use it from a SAML relying party, though, because it does not do the SAML SLO (does not send a SAML logout request to all other participant service providers).

So, to sum up, regardless of the protocol used in the upstream connection,:

  • SAML logout requests from SPs will not cause a logout request to the upstream connection.
  • WS-Federation logout requests will cause a logout request to the upstream connection (if supported).
  • /v2/logout will cause a logout request to the upstream connection (when supported) if the federated parameter is used.

I do agree that the above behavior is somewhat inconsistent and could be improved. If this is something you need, I would encourage you to leave feedback at https://auth0.com/docs/feedback, as customers requests will help the Product team prioritize features.

Hi @nicolas_sabena,

Thanks for the clarification.

Regards,
Vitalii

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.