I’m looking to determine the extent to which Auth0 has the capability to notify service providers of session expiration/invalidation. Also, I’m curious whether it makes sense to mix JWT and SAML based authentication strategies in some cases. I understand Auth0 supports SLO for SAML service providers, which I understand to mean other SAML service providers will be notified of a logout request (if configured on Auth0 and supported by the service provider). That said, I believe what I’m looking for boils down to these questions:
- If other non-SAML clients perform a logout, will the SAML service providers still be notified?
- If a user’s session expires or the user performs a password reset, does Auth0 support notifying the service providers so they can require the user to reauthenticate?