It seems error messages are becoming a bit of theme here. 
With our rules, when a user isn’t authorized, we redirect them to an external error page. We do that because we don’t want each of our applications to have to handle errors themselves. That means, however, that those users will still be logged in to an Auth0 SSO session. For a lot of errors, that’s fine. If you’re not allowed to access Application A, you shouldn’t be entirely kicked out of your SSO session. However, with some errors (like “please verify your email first”), that results in users entering an endless loop: we can’t allow them to login, but we don’t have a way to log them out either.
It would be great if either (or both 
):
- We could force an SSO session to end from within a rule
- We could throw error pages from within rules, instead of redirecting users to the application with an
erroranderror_description.