SAML SSO Logout Behaviour

I’m not a SAML expert so this may well be a user error issue…

We are using SAML SSO integration from AWS OpenDistro to Auth0. (I’m not sure if the AWS part is significant or not, from what I can tell AWS OpenDistro is making the calls to Auth0 I’d expect.)

We have two OpenDistro instances both using SAML, each setup as its own Auth0 Application, each with its own independent SAML configuration both in AWS and Auth0.

From a logged out position, login to one of the instances via an Auth0 redirect to hosted login page, with email/password.

Next navigate the browser to the second instance (its on a different subdomain), I get logged in silently as expect since I now have a session at Auth0s end.

Next logout from this second instance.

I would expect to be returned to the login page for this second instance where I have just clicked the logout button. But what actually happens is that I am redirected back to the first instance, the one against which I originally logged in. At which point I am also then silently logged back in to the first instance.

The api call to logout is suspicious in that it is sending back the incorrect ‘returnTo’ param in the url. If the original login was to the first instance, a logout from the second instance yields a returnTo for the first and vice-versa. It almost seems like the SAML provider metadata is cached on login and is causing this behaviour. I can see in the SAMLRequest during logout that the samlp:LogoutRequest is targeting the correct Auth0 client_id, but as I say the response contains the wrong returnTo param.

My question is, is this an expected behaviour of SAML or is there perhaps something either configured incorrectly or a potential cache issue?

I’m going to close this request.

I think digging into it further the actual problem is that I think AWS ElasticSearch (OpenDistro implementation) doesn’t actually support the SLO param correctly.

I think the confusing behaviour I was seeing was a misconfiguration I had in Auth0.

Got it! Let us know if you want to reopen it.