This article clarifies the behavior of single logout when using different authentication protocols for multiple portals. The scenario involves one portal using OpenID Connect (OIDC) and another using Security Assertion Markup Language (SAML). While single sign-on functions correctly, logging out of one portal does not terminate the session in the other, even when Single Logout (SLO) is enabled in the SAML configuration.

• Auth0
• OpenID Connect (OIDC)
• Security Assertion Markup Language (SAML)
• Single Logout (SLO)

When a user logs out from a SAML portal, the system initiates the SAML SLO process for other SAML applications but does not automatically notify OIDC portals to terminate the session. The same behavior occurs in reverse. The two protocols use different methods for handling logout, and the system does not automatically bridge these protocols for logout events.

To achieve consistent single logout behavior, the simplest approach is to use the SAML protocol for both portals with SLO enabled. Review Federated Logout and Single Logout (SLO) for more information on the SAML SLO process.

If different protocols are required, a solution must be implemented at the application level to accommodate these variations. Here are three alternatives:

Central Logout Endpoint

Create a central logout page in the application. When a user initiates a logout from either portal:

1. Redirect the user to the central logout endpoint.
2. This endpoint will then be responsible for logging the user out of both the SAML and OpenID Connect sessions with Auth0.
3. Use hidden iframes on this page to call the logout URLs for each of the portals, ensuring their local sessions are also destroyed.

Short-Lived Sessions and Frequent Checks

Another strategy is to configure the applications to have short session timeouts. Periodically check with Auth0 via a background mechanism to verify if the user's session remains active.

If the Auth0 session has been terminated (because the user logged out from the other portal), the application would then terminate its own session.

Back-Channel Logout

This feature requires an Enterprise-level subscription. The application must expose a Back-Channel Logout URI reachable from the tenant server to receive requests containing a Logout Token. The application then clears the local session state matching the claims in the token using a shared session identifier (sid). Refer to the official documentation for Back-Channel Logout.