I have an SPA application using Auth0 as Identity Provider using OAuth2 (with bearer jwt tokens) with Implicit Grant Flow. In the SPA is embedded (iframe) an external SPA (both are different application in Auth0 configuration) which uses Auth0 with SAML2.0. Single Logout is configured in the second SPA and Auth0.
SSO works fine.The first SPA redirects the user Auth0 login page, which return a token for the back-end and sets a Auth0 session cookie. When the external SPA is called, it redirects to Auth0 with the previously the Auth0 session cookie, and Auth0 returns the SAML token. User can then interact with the second SPA.
SLO doesn’t seems to work. When the first SPA (OAuth2) asks Auth0 to logout, the Auth0 cookie is expired but logout callback of the second SPA (SAML2) is not called.
A i missing something in Auth0 configuration or isn’t this case (SLO with mixed protocol OAuth2/SAML) not supported (in which case i programmatically call the SAML logout callback).
Thanks for advices.