Problem Statement
How do you setup SAML SLO between Auth0 (SP) and Okta (IDP)
Solution
Getting things ready:
- Download SAML signing cert from Auth0
Note: This is different than your regular tenant certificate. make sure to download from this link - Have your entity ID ready: urn:auth0::
OKTA CONFIGURATION:
SLO needs to be configured on the Okta side first so that Okta knows where to send the SAML Response after logout is initiated by the SP
In the Okta dashboard, go to Applications > Applications
- Select your Okta Application
- Click on the General tab
- Scroll down and click Edit under SAML Settings
- On the first screen (General Settings), click Next
- Scroll down and click Show Advanced Settings
- Scroll down and find the SLO config settings:
- Upload the certificate you downloaded from Auth0 in a previous step
- Check “Allow application to initiate Single Logout”
- Enter the correct Auth0 logout endpoint:
https://tenant.auth0.com/logout&client_id=<client ID>&returnTo=<redirect here after logout>
If you do not specify a client_id then you will need to set your Allowed Logout URLs at the Auth0 tenant level
Be sure that the returnTo parameter above maps to a URL in your Auth0 application’s Allowed Logout URLs
Note: /v2/logout is NOT USED for this, /logout is used as it supports a POST with a SAML response
- Paste your entity ID into the SP Issuer field
- Scroll down and click Next and then click Finish
Get the Okta SAML Logout Endpoint:
- On the Sign-on tab, scroll down to SAML Signing Certificates
- Click View SAML setup instructions
- Copy the Identity Provider Single Logout URL
Note: This url should match the Okta Single Sign-on URL but will end with /slo/saml instead of /sso/saml
AUTH0 CONFIGURAITON:
- In the SAML connection in Auth0, click Enable Sign Out
- Paste the IDP Single Logout URL you copied above from Okta
Your SLO configuration should now be complete.
Fire up your App and test SLO