How SAML SLO Works

Problem statement

This article addresses the situation in which the Federated Logout results in:

Not found.


Posting the SAML logout request to https://YOUR_DOMAIN/samlp/CLIENT_ID/logout should be enough. But here’s a description of how this flow works so that you understand the underlying processes.

NOTE: The following description applies to the Service Provider (SP) initiated Single Logout (SLO) when Auth0 is acting as the Identity Provider.

  1. The initiating Service Provider (One of your Apps) generates a digitally signed Logout Request SAML message and sends it to the IdP’s SLO endpoint, which is a dedicated URL designed to receive SLO messages. When Auth0 is acting as the SAML IdP (In other words, you are using the SAML add on), this endpoint is: https://YOUR_DOMAIN/samlp/CLIENT_ID/logout. This URL is also appended to the Logout Request. This complete URL is returned to the user’s browser through a 302 HTTP redirection response. Here’s an example of a SAML logout request:
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Destination="[https://YOUR_DOMAIN/samlp/CLIENT_ID/logout](https://your_domain/samlp/CLIENT_ID/logout)" ID="id....." IssueInstant="2024-04-12T17:49:38.163Z" Version="2.0">
<Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<dsig:Signature xmlns:dsig="[">](;
<dsig:CanonicalizationMethod Algorithm="["/>](;
<dsig:SignatureMethod Algorithm="["/>](;
<dsig:Reference URI="#ID_a8959540-36c7-4620-9149-164f712d94c2">
<dsig:Transform Algorithm="["/>](;
<dsig:Transform Algorithm="["/>](;
<dsig:DigestMethod Algorithm="["/>](;
here goes the digest value
<dsig:Modulus> ...
<NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
the session ID that identifies the user
  1. The browser follows the redirect and requests the IdP’s SLO URL.
  2. The IdP identifies the other Apps/SPs that support SLO and were accessed by the end-user during the current login session via Single Sign-On. This is performed with the help of the present on the SAML logout request. Then, for each participating App/SP, the IdP performs the following steps:
  3. Generates a new, digitally signed Logout Request.
  4. Redirects the user’s browser to the SLO endpoint of that SP.
  5. Waits for a Logout Response from the SP through the user’s browser.
  6. Each SP terminates the end user’s login session upon receiving and validating the Logout Request from the IdP.
  7. The IdP terminates its own login session and sends a final Logout Response message to the initiating SP, matching the original Logout Request from step 1.
  8. The SP displays a logout page for the end user.

Related References