Auth0 Home Blog Docs

SAML SLO - ReturnTo Query Parameter & HTTP Post

saml
logoutrequest
logoutresponse
slo

#1

When sending a LogoutRequest to Auth0 a query parameter needs to be appended to the url to define where to redirect to once the logout has been completed (doc). The redirect URL is then used to HTTP-POST the LogoutResponse back the SP.

From my limited understanding of this profile a HTTP-Redirect binding should be used to request a logout (provides the IDP with the opportunity to destroy any client side state), then the IDP should also use the HTTP-Redirect binding once completed. 3.4.8 Example SAML Message Exchange Using HTTP Redirect documents this interaction.

The SAML Profiles document also states (under the heading Identity Provider issues to Session Participant):

In step 5, the identity provider issues a message to the original requesting session participant. The response may be returned directly to the session participant or indirectly through the user agent (if consistent with the form of the request in step 1)

It doesn’t seem to state where the redirect URL should be retrieved from, but I would have thought it would have either been defined within a federation or within a individual entity descriptor file that would be served by the SP.

The Auth0 implementation confuses my understanding of the protocol & I would like to clarify if this design is to avoid the complexities of federations & entity descriptor files or a lack of my understanding of the protocol.

Some clarity around using a HTTP-POST vs a HTTP-REDIRECT when sending a logout response would also be interesting as it seems to not follow the standard.


#2