How to setup SAML SLO between Auth0 (SP) and Okta (IDP)

Problem Statement

How do you setup SAML SLO between Auth0 (SP) and Okta (IDP)

Solution

Getting things ready:

  • Download SAML signing cert from Auth0
    Note: This is different than your regular tenant certificate. make sure to download from this linkimage.png
  • Have your entity ID ready: urn:auth0::

OKTA CONFIGURATION:

SLO needs to be configured on the Okta side first so that Okta knows where to send the SAML Response after logout is initiated by the SP

In the Okta dashboard, go to Applications > Applications

  • Select your Okta Application
  • Click on the General tab
  • Scroll down and click Edit under SAML Settingsimage.png
  • On the first screen (General Settings), click Next
  • Scroll down and click Show Advanced Settings
  • image.png
  • Scroll down and find the SLO config settings:image.png
  • Upload the certificate you downloaded from Auth0 in a previous step
  • Check “Allow application to initiate Single Logout
  • Enter the correct Auth0 logout endpoint: “https://tenant.auth0.com/logout&client_id=&returnTo=”

If you do not specify a client_id then you will need to set your Allowed Logout URLs at the Auth0 tenant level

Be sure that the returnTo parameter above maps to a URL in your Auth0 application’s Allowed Logout URLs

Note: /v2/logout is NOT USED for this, /logout is used as it supports a POST with a SAML response

  • Paste your entity ID into the SP Issuer field
  • Scroll down and click Next and then click Finish

Get the Okta SAML Logout Endpoint:

  • On the Sign-on tab, scroll down to SAML Signing Certificates
  • Click View SAML setup instructionsimage.png
  • Copy the Identity Provider Single Logout URL
    image.pngNote: This url should match the Okta Single Sign-on URL but will end with /slo/saml instead of /sso/saml

AUTH0 CONFIGURAITON:

  • In the SAML connection in Auth0, click Enable Sign Out
  • Paste the IDP Single Logout URL you copied above from Okta
    image.png

Your SLO configuration should now be complete.

Fire up your App and test SLO

References: