Auth0 fails to process a SAML Single Log-Out (SLO) request when the Service Provider (SP) sends the NameID property in a different case than the value Auth0 stores. This occurs because Auth0 does not support case insensitivity for SAML attributes, preventing Auth0 from identifying the correct user. Adjust the Identity Provider (IdP) configuration to send the NameID in the correct case or intercept the SAML login process to force a lowercase NameID to resolve the issue.

• Auth0
• Security Assertion Markup Language (SAML) Single Log-Out (SLO)
• NameID Attribute
• Identity Provider (IdP)
• Service Provider (SP)

The error occurs because the SAML SP sends the NameID property of the SAML logout request in a different case than the value Auth0 stores. Auth0 cannot identify the user that initiated the request because Auth0 does not support case insensitivity for SAML attributes.

How is the NameID case sensitivity issue resolved?

Adjust the SP configuration to match the Auth0 NameID casing, or configure Auth0 to force a lowercase NameID during the login process.

1. Review the IdP SAML configuration.
2. Adjust the configuration so the SP sends the NameID property (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier) in the exact case Auth0 stores.
3. Alternatively, intercept the SAML logout request and force the NameID to be lowercase before it is sent forward to Auth0.

Related References

• SAML logout request NameID case sensitivity