Forcing Auth0 as SP to Send SLO Logout

We have an application that is set up to use a SAMLP enterprise connection where Auth0 is the SP and Ping Federate is the IdP. The customer that we’re standing this application up for has their log-in form take in an additional user parameter in addition to the user’s credentials. On their back-end they check that this value is valid and will deliver an error response if it is not (it’s like a vendor location code). When doing normal logins this is fine. Everything works correctly for authentication and federated logout completes without issue.

We’re facing a problem when the user enters a bad value for that additional property.Ping tells Auth0 there was an error authenticating. Auth0 tells our application about a login error. We tell the user there was an error. The description provided by the IdP is shown to the user. We ask them to correct this and want them to log in. Here’s the rub, the Ping sees that the user entered good credentials and is keeping a pseudo session around and will always return that error. “How is this Auth0’s problem, or, for that matter, our application’s issue?” Well, it isn’t but we’re trying to work with the customer here to provide a good user experience.

What I’ve tried to do is before directing the user to login after this error is to send the user to the Auth0 logout address with the federated flag on the query string. The problem is that this doesn’t appear to be pushed to the IdP. I suspect it is because Auth0 rightfully sees that the current user has no session so therefore, how do you log out a logged out user?

The customer has given me a “session reset” endpoint that I can navigate the user to. This solves the issue. The user is logged out from the session. However, now our multi-tenant application is now reliant on someone else for session for this one instance and use-case. We want to make our application go to Auth0 for any authentication and authorization.

So, is there a way to force a IdP logout if the user has no session in Auth0? It would be nice if I could supply the connection id on the logout query string to indicate that, “yes, I really would like to insure that no session exists at this connection at all.”


EDIT: I should mention that I’ve reviewed this FAQ as well as the pages on logout but see no mention of this functionality or situation: