Help with Auth0 SP, IdP and RBAC setup

Hi Everyone, will be happy to get some help with Auth0 setup. We use one domain (Auth0 tenant) as service provider (SP) and another domain (Auth0 tenant) as identity provider (IdP). There is a SAML Enterprise connection setup between SP and IdP. The login works, user defined in IdP can login in app that is set up in SP. We are using Node.js Express test app generated from the SP domain app. We have 2 problems:

  1. Logout does not clear the Auth0 session and IdP session, even though auth0Logout and idpLogout are set in auth config. Since IdP has the same user logged in, we cannot switch to another user
  2. We need to setup RBAC access for our app and read user’s roles or permissions on login. This should be driven by IdP, so user’s roles and permissions will be set in IdP. This requires creating an API in IdP (so far so good). the question is what should be done on the SP side? Specifying the API as audience does not work, since the API and users/roles are on the IdP side and the audience reflects the SP side.

Any help or pointer to the right documentation will be greatly appreciated!

Thanks in advance.

After further digging into Auth0 documentation, the correct approach seems to be the one described in these documents:

To summarize:

  1. From SAML Configuration Options
    After the identity provider creates the user, you can use an out-of-band process can create the accompanying user in the application (or Auth0) and add any user profile attributes required by the application. If, after authentication, any attributes are missing in the profile, the application can obtain them from the appropriate source and store them in the Auth0 user profile. The additional attributes are then sent to the application (in addition to any added by the identity provider) the next time the user logs in.
    You can use an Auth0 rule to call an API to retrieve any missing information and dynamically add it to the Auth0 profile (which is then returned to the application). Rules execute after successful authentication, and your application can retrieve profile attributes each time or you can save the attributes to the Auth0 profile.

  2. Follow Call an Identity Provider API to call IdP API for more data about the user.