Getting SAML Response instead of LogoutResponse for the LogoutResquest sent to Auth0 IdP

I am using Auth0 as Identity Provider and trying to implement SAML based Service Provider initiated Single Logout (SLO). I send the following LogoutRequest from my service to the Auth0 Identity Provider Login URL which looks like https://XYZ.auth0.com/samlp/CLIENT_ID :

<?xml version="1.0" encoding="ISO-8859-15"?>
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="request-id" Version="2.0" IssueInstant="2022-08-02T16:44:22Z" Destination="https://XYZ.auth0.com/samlp/CLIENT_ID"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://www.service.com/issuer</saml:Issuer><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user@mail.com</saml:NameID></samlp:LogoutRequest>

I expect in response a SAML LogoutResponse message, but I get a SAML Response message instead which seems to be the Authentication Response. Also, the user is not logged out of the Auth0 IdP.

Can someone please help me understand what is that I am doing wrong?

Hi @sahilchhabra1 !

For a SAML logout request, it must be sent to https://xyz.auth0.com/samlp/CLIENT_ID/logout, which is the Single Logout Service endpoint, and in order for SLO to work you will also need to configure the SAML Web App Addon’s logout options if not done already:

If in doubt, you can check the SAML metadata for a given client via this URL pattern: https://xyz.auth0.com/samlp/metadata/CLIENT_ID

1 Like