Signout operation not signing out completely

The signon operation is working fine, however we have some issues with out logout operation.

The workflow of signin and signout operation is as follows

  1. User navigate to a page appUrl/external-login. It redirects the user to Auth0 universal login and from there to IdP for authenticating user.
  2. Once user is authenticated we authorize API using access token and redirect user to relevent pages based on there roles.
  3. On logout button click event, we fire AuthService.logout() and clear all application level session and cache data.
  4. User is redirected to appUrl/external-login page and user is displayed the auth0 Universal login page
  5. When user enters his/her email, then user is directly logged in without navigating to IdP.

We tried to add federated option in logout method as following and in the saml enterprise connection checked the Enable Sign Out option to enable to logout from IdP as well. However this also doesn’t seems to have any effect.

this.auth.logout({federated: true, client_id: ‘xyz’});

I tried to find out how to delete the auth0 session cookie, but doesn’t find any reference. On tenant settings I do see setting Session Cookie Mode to Non-persistant session, but it seems to invalidate a session cookie when the browser is closed. How to invalidate when user clicks on logout button.

Hi @krishnas,

Welcome to Auth0 Community!

In addition to including the federated parameter in the logout request, there are a few other steps to configure Single Logout.

You may need to configure additional settings for the SAML connection to ensure that Auth0 sends the logout request to the SAML IdP’s logout endpoint:

  1. Go to Auth0 Dashboard > Authentication > Enterprise > SAML and select your connection.
  2. Toggle on Enable Sign Out.
  3. Enter the SAML Logout URL provided by the SAML IdP in the Sign Out URL field. If you leave this field blank, Auth0 will default to the URL in the Sign In URL field.
  4. Confirm that the value in the Protocol Binding field matches the protocol binding expected by the SAML IdP.

Would you try checking with the IdP that the Sign Out URL is the correct one, and that the Protocol Binding is the same as what the IdP is expecting?

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.