SAML SLO back-channel

lukyer · August 25, 2020, 2:25pm

Hello,
I am trying to integrate our product with auth0 but we are struggling with LOGOUT feature.

SLO is configured and works properly. However when user is deactivated/removed/… in auth0 administration, how can we react to it from service provider side? Is it possible to call our SLO endpoint when such a change occur?

Real life example: company administrator wants to revoke employee access to all products. He deactivates the user in auth0 administration. Every product should be notified somehow that they should remove opened sessions with the user.

I read about back-channel support from IDP side - is it supported in auth0? Can auth0 somehow contact our API when user deactivation happen?

Or should some other approach be adopted?

Thanks for your help.

jmangelo · August 26, 2020, 8:56pm

No, as far as I’m aware the back-channel logout flow is not supported as part of the current SAML offering.

As an alternative you could consider an approach that reacts based on the events sent to tenant logs; in other words, you could use log streaming to send tenant logs to your system and part of the system to which you send the logs to you could setup actions for certain events.

This would allow you to react to a user deletion event and proceed to perform the necessary actions across all of your systems.