SLO with mixed protocol OAuth2/SAML2


I have an SPA application using Auth0 as Identity Provider using OAuth2 (with bearer jwt tokens) with Implicit Grant Flow. In the SPA is embedded (iframe) an external SPA (both are different application in Auth0 configuration) which uses Auth0 with SAML2.0. Single Logout is configured in the second SPA and Auth0.

SSO works fine.The first SPA redirects the user Auth0 login page, which return a token for the back-end and sets a Auth0 session cookie. When the external SPA is called, it redirects to Auth0 with the previously the Auth0 session cookie, and Auth0 returns the SAML token. User can then interact with the second SPA.

SLO doesn’t seems to work. When the first SPA (OAuth2) asks Auth0 to logout, the Auth0 cookie is expired but logout callback of the second SPA (SAML2) is not called.

A i missing something in Auth0 configuration or isn’t this case (SLO with mixed protocol OAuth2/SAML) not supported (in which case i programmatically call the SAML logout callback).

Thanks for advices.


Hi Pierre. Auth0 currently supports SLO only for SAML, not in OIDC or in mixed protocol scenarios.

It is expected that support for OIDC SLO will arrive after the OpenID Connect Session Management 1.0 specification and the closely-related OpenID Connect Front-Channel Logout 1.0 and OpenID Connect Back-Channel Logout 1.0 specs transition from “draft” state to “Final”.

Hello Nicolas,

Thanks for your answer !


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.