Configure SAML SLO for Auth0 (SP) and Okta (IDP)

Admin Management
Dec 5, 2025
Overview

When logging out of an application where Okta is the Security Assertion Markup Language (SAML) Identity Provider (IDP), the IDP session remains active. This article provides steps to configure Single Logout (SLO) when Auth0 is the Service Provider (SP) and Okta is the IDP.

Applies To

  • Okta

  • Auth0

  • Security Assertion Markup Language (SAML)

  • Single Logout (SLO)

Cause

SAML connections in Okta support SLO, but the settings must be configured on the Okta application for SLO to be enabled.

 

Solution

Before beginning, ensure the following prerequisites are met:

  • Download the SAML signing certificate from Auth0.

    • NOTE: This is a different certificate than the regular tenant certificate.

Sign Request option

 

  • Obtain the entity ID (e.g., urn:auth0:<tenant>:<connection>).

Okta Configuration

  1. In the Okta dashboard, go to Applications > Applications.

  2. Select the target Okta Application.

  3. Select the General tab.

  4. Scroll down to SAML Settings and click Edit.

SSO URL

  1. On the General Settings screen, click Next.
  2. Scroll down and click Show Advanced Settings.

Show Advanced Settings option

 

  1. In the SLO configuration settings: 
    • Upload the SAML signing certificate from Auth0.

    • Select the Allow application to initiate Single Logout checkbox.

    • Enter the Auth0 logout endpoint: https://<tenant>.auth0.com/logout?client_id=<client_ID>&returnTo=<redirect_URL>.

SLO URL

  1. If a client_id is not specified, the Allowed Logout URLs must be set at the Auth0 tenant level.
  2. Ensure the returnTo parameter maps to a URL in the Auth0 application’s Allowed Logout URLs.
    NOTE: /v2/logout is not used for this function. /logout is used, as it supports a POST with a SAML response.
  3. Enter the entity ID into the SP Issuer field.
  4. Scroll down, click Next, and then click Finish.

 

Get Okta Logout Endpoint

  1. Navigate to the Sign-on tab and scroll to SAML Signing Certificates.

  2. Click View SAML setup instructions.

SAML Signing Certificates

  1. Copy the Identity Provider Single Logout URL

.NOTE: This URL should match the Okta Single Sign-on URL but end with /slo/saml instead of /sso/saml.

IDP SLO URL 

Auth0 Configuration

  1. In the Auth0 SAML connection settings, select Enable Sign Out.
  2. Paste the IDP Single Logout URL copied from Okta.

Sign Out URL

  1. Test the SLO configuration.

 

 

Recommended content

No recommended content found...
Need more help? Visit the Community
Visit the Auth0 Community