Problem statement
This article addresses the situation in which the Federated Logout results in:
Not found.
Solution
Posting the SAML logout request to https://YOUR_DOMAIN/samlp/CLIENT_ID/logout should be enough. But here’s a description of how this flow works so that you understand the underlying processes.
NOTE: The following description applies to the Service Provider (SP) initiated Single Logout (SLO) when Auth0 is acting as the Identity Provider.
- The initiating Service Provider (One of your Apps) generates a digitally signed Logout Request SAML message and sends it to the IdP’s SLO endpoint, which is a dedicated URL designed to receive SLO messages. When Auth0 is acting as the SAML IdP (In other words, you are using the SAML add on), this endpoint is: https://YOUR_DOMAIN/samlp/CLIENT_ID/logout. This URL is also appended to the Logout Request. This complete URL is returned to the user’s browser through a 302 HTTP redirection response. Here’s an example of a SAML logout request:
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Destination="[https://YOUR_DOMAIN/samlp/CLIENT_ID/logout](https://your_domain/samlp/CLIENT_ID/logout)" ID="id....." IssueInstant="2024-04-12T17:49:38.163Z" Version="2.0">
<Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://your-app.com/
</Issuer>
<dsig:Signature xmlns:dsig="[http://www.w3.org/2000/09/xmldsig#">](http://www.w3.org/2000/09/xmldsig#%22%3E);
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="[http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>](http://www.w3.org/2001/10/xml-exc-c14n#WithComments%22/%3E);
<dsig:SignatureMethod Algorithm="[http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>](http://www.w3.org/2001/04/xmldsig-more#rsa-sha256%22/%3E);
<dsig:Reference URI="#ID_a8959540-36c7-4620-9149-164f712d94c2">
<dsig:Transforms>
<dsig:Transform Algorithm="[http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>](http://www.w3.org/2000/09/xmldsig#enveloped-signature%22/%3E);
<dsig:Transform Algorithm="[http://www.w3.org/2001/10/xml-exc-c14n#"/>](http://www.w3.org/2001/10/xml-exc-c14n#%22/%3E);
</dsig:Transforms>
<dsig:DigestMethod Algorithm="[http://www.w3.org/2000/09/xmldsig#sha1"/>](http://www.w3.org/2000/09/xmldsig#sha1%22/%3E);
<dsig:DigestValue>
here goes the digest value
</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>
redacted
</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus> ...
</dsig:Modulus>
<dsig:Exponent>
AQAB
</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
<NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
[user@email.com](mailto:user@email.com)
</NameID>
<strong><samlp:SessionIndex>
the session ID that identifies the user
</samlp:SessionIndex></strong>
</samlp:LogoutRequest>
- The browser follows the redirect and requests the IdP’s SLO URL.
- The IdP identifies the other Apps/SPs that support SLO and were accessed by the end-user during the current login session via Single Sign-On. This is performed with the help of the present on the SAML logout request. Then, for each participating App/SP, the IdP performs the following steps:
- Generates a new, digitally signed Logout Request.
- Redirects the user’s browser to the SLO endpoint of that SP.
- Waits for a Logout Response from the SP through the user’s browser.
- Each SP terminates the end user’s login session upon receiving and validating the Logout Request from the IdP.
- The IdP terminates its own login session and sends a final Logout Response message to the initiating SP, matching the original Logout Request from step 1.
- The SP displays a logout page for the end user.
Related References
- Read the following article for a complete understanding of how Auth0 addresses SLO: Federated Logout and Single Logout (SLO)