Notifying clients/service providers of session invalidation/expiration

bhager · November 11, 2019, 4:26pm

I’m looking to determine the extent to which Auth0 has the capability to notify service providers of session expiration/invalidation. Also, I’m curious whether it makes sense to mix JWT and SAML based authentication strategies in some cases. I understand Auth0 supports SLO for SAML service providers, which I understand to mean other SAML service providers will be notified of a logout request (if configured on Auth0 and supported by the service provider). That said, I believe what I’m looking for boils down to these questions:

If other non-SAML clients perform a logout, will the SAML service providers still be notified?
If a user’s session expires or the user performs a password reset, does Auth0 support notifying the service providers so they can require the user to reauthenticate?

Saltuk · November 15, 2019, 7:41pm

Hi,

Thank you for reaching out. The SAML logout options available when Auth0 is the IdP is documented here.

OIDC clients should be calling the logout endpoint, e.g. https://YOUR_DOMAIN/v2/logout This doesn’t initiate a SAML logout sequence for other Service providers. Similarly unfortunately, the expired sessions or password reset don’t initiate a SAML logout sequence.

system · November 30, 2019, 7:41pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.