RP initiative logout is not working in case of SAML #3749
Description
UAA Version : 77.10.0
As per my configuration, the identity zone “octopus” is configured with Auth0 as a SAML Identity Provider.
The Auth0 SAML metadata configured in the octopus identity zone includes a valid SingleLogoutService endpoint.
As per our configuration, the identity zone “octopus” is configured with Auth0 as a SAML Identity Provider.
The Auth0 SAML metadata configured in the octopus identity zone includes a valid SingleLogoutService endpoint.
Current Behavior
When the user accesses this url from the browser https://octopus.<uaa_domain>/logout.do
the following occurs:
- CF UAA clears the local session cookies.
- The user is redirected to: https://octopus.<uaa_domain>/login
- /login immediately initiates a new SAML authentication request to Auth0.
Problem
CF UAA does not trigger a SAML Single Logout (SLO) request to Auth0
Even though the IdP metadata contains a SingleLogoutService endpoint, no SAML LogoutRequest is sent to Auth0 during /logout.do.
As a result:
The session at Auth0 remains active.
The user is immediately re-authenticated due to the existing IdP session.
Proper federated logout does not occur.
Could you please clarify:
Whether additional configuration is required to enable SAML SLO from UAA to the external IdP?