Federated Logout from OIDC Application, Auth0 as SAML SP

This document is part of a series on common Federated Logout patterns.

Other documents in the series can be found under the heading “Logout Patterns” in the document on Federated Logout and Single Logout (SLO).

The scenario described in this document assumes the following:

  • One OIDC application
  • An external SAML IdP configured as a SAML Enterprise connection in Auth0
  • SLO is initiated from the OIDC application

A sequence diagram demonstrating the SLO flow is shown here:

Note the following:

  • ​​SLO begins at the /logout endpoint on the OIDC application. The application code is responsible for terminating the application’s own session and redirecting to the Auth0 federated logout endpoint.
  • The OIDC application must initiate a GET request to the /v2/logout endpoint. Attempts to initiate SLO by calling the SAML SLO endpoints described in the SAML documentation will fail.
  • With OIDC applications, it’s not possible to accomplish what a traditional SAML SLO flow could. Auth0 is not able to reach out to other OIDC applications and request those applications terminate their local sessions. Auth0 now supports OIDC Backchannel Logout
  • In the final response from the Auth0 tenant, the default response is 200 OK. It is possible to configure the Auth0 tenant to redirect to a specific URL after SLO completes: Redirect Users with Alternative Logout
2 Likes