we have Nico who provided some further information on the logout functionality that may be useful/helpful for specific cases, found here: Auth0 SLO where Auth0 acts both IDP and SP - #7 by nicolas_sabena
I am copying over the post from the above thread:
I can confirm that, as of now, Auth0 will not reach out to the upstream identity provider (a “federated” logout) if the original logout request was a SAML logout request (i.e. it came from a SAML service provider).
Auth0 will issue a logout request to the upstream IdP if the strategy supports it (that’s what the logout URL is for in SAML connections) when you use the/v2/logout
endpoint with the?federated
option (see Logout). This endpoint is meant to be used by OAuth2/OIDC clients mostly. You can’t use it from a SAML relying party, though, because it does not do the SAML SLO (does not send a SAML logout request to all other participant service providers).So, to sum up, regardless of the protocol used in the upstream connection,:
- SAML logout requests from SPs will not cause a logout request to the upstream connection.
- WS-Federation logout requests will cause a logout request to the upstream connection (if supported).
/v2/logout
will cause a logout request to the upstream connection (when supported) if thefederated
parameter is used.I do agree that the above behavior is somewhat inconsistent and could be improved. If this is something you need, I would encourage you to leave feedback at https://auth0.com/docs/feedback, as customers requests will help the Product team prioritize features.
Please let me know if this helps clarify things. If not, simply let me know and I can have someone jump in to help clarify any processes further on how they are intended to behave!