Federated Logout with Auth0 as SAML IdP and SP

Problem statement

After updating an app to pass the federated parameter in the logout request, there is no “logged out” message in Auth0’s history for the user. When going directly to the app after being logged out, users are let in without required authentication - even though they are logged out of the IdP. Auth0 is both SP and IdP

Cause

There are different logout endpoints for SAML flows compared to OIDC. SP and IdP need to be configured to use the correct logout endpoints for federated to complete successfully when using SAML connections.

Solution

When Auth0 is both the Identity Provider and Service Provider, such as two tenants connected to each other via a SAML connection, to support a federated logout triggered SAML flow, the Auth0 tenant’s connection, which is acting as the SAML Service provider, must call the right SAML logout endpoint on the IdP tenant.

https://IDP_TENANT_DOMAIN/samlp/CLIENT_ID_WITH_SAML_ADDON/logout

Similarly, the IdP tenant’s client with the SAML Web App Addon enabled should have its SLO settings pointed at the SP tenant’s SAML SLO logout endpoint so the IdP tenant can properly complete the logout of the SP tenant in this triggered SAML flow.

https://SP_TENANT_DOMAIN/logout

For more details, refer to Configure SLO when Auth0 is the SAML IdP.