Federated logout with Auth0 as SAML IdP and SP

Problem statement

After updating our app to pass the federated parameter to the logout call, we are no longer seeing a logout message in Auth0’s history for the user. Additionally, if we browse directly to the app after being logged out, we are let in without authentication being required - even though our IDP is fully logged out.

Cause

There are different logout endpoints for SAML flows compared to OIDC. SP and IdP need to be configured to use the correct logout endpoints for federated to complete successfully when using SAML connections.

Solution

When Auth0 is both the Identity Provider and Service Provider, such as two tenants connected to each other via a SAML connection, to support a federated logout triggered SAML flow, the Auth0 tenant’s connection which is acting as the SAML Service provider must call the right SAML logout endpoint on the IdP tenant, i.e.:

Similarly, your IdP tenant’s client with the SAML Web App Addon enabled should have its SLO settings pointed at the SP tenant’s SAML SLO logout endpoint, so the IdP tenant can properly complete the logout of the SP tenant in this triggered SAML flow: