Notifying clients/service providers of session invalidation/expiration

I’m looking to determine the extent to which Auth0 has the capability to notify service providers of session expiration/invalidation. Also, I’m curious whether it makes sense to mix JWT and SAML based authentication strategies in some cases. I understand Auth0 supports SLO for SAML service providers, which I understand to mean other SAML service providers will be notified of a logout request (if configured on Auth0 and supported by the service provider). That said, I believe what I’m looking for boils down to these questions:

• If other non-SAML clients perform a logout, will the SAML service providers still be notified?
• If a user’s session expires or the user performs a password reset, does Auth0 support notifying the service providers so they can require the user to reauthenticate?

Hi,

Thank you for reaching out. The SAML logout options available when Auth0 is the IdP is documented here.

OIDC clients should be calling the logout endpoint, e.g. https://YOUR_DOMAIN/v2/logout This doesn’t initiate a SAML logout sequence for other Service providers. Similarly unfortunately, the expired sessions or password reset don’t initiate a SAML logout sequence.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.