Single Sign out in All application using Auth0

Question

I have URL "http://mywebsite.com" like this. I am using Auth0 for login my web application.Once the user logged in my application i will logging the user to my wordpress site and other website using the same login(Single Single Sign On). Once the user logged out from my application I need to logged out from wordpress and other website Also(Single Sign OFF/OUT).

Is it possible?

please suggest better option

Answer 1

@udayr answer led me on the right path:

I'm actually using ASP.Net Owin, so I created an overload of the LogOff endpoint at the Auth0AccountController of all my Apps like this:

    [HttpGet]
    public ActionResult LogOff() {
        return this.LogOff("");
    }

Then I added an SLO (Single Log Of) view and put the following code on it:

<iframe id="app1" height="0" width="0" src="http://app1.localtest.me/Auth0Account/LogOff"></iframe>

<iframe id="app2" height="0" width="0" src="http://app2.localtest.me/Auth0Account/LogOff"></iframe>

<h2 id="message">Logging off, please wait...</h2>

<script>

    var app1Ready = false;
    var app2Ready = false;

    $('iframe').load(function (e) {

        switch ($(e.target).attr("id")) {
            case "app1":
                app1Ready = true;
                break;
            case "app2":
                app2Ready = true;
                break;
        }

        if (app1Ready && app2Ready) {

            $("#message").html("You have been Logged Off successfully!");

        }

    });

</script>

Basically, we need to make a Get call to the new LogOff end point via the iframes, the oly drawback is that all the aplications needs to know all the others applications' Log Off URLs, and this needs to implemented on all of them.

Answer 2

Haven't had any experience with doing this personally, but this is straight from the docs on Auth0:

"This will clear any single sign-on cookies set by Auth0 for that user. If you also want to log the user out of their identity provider, add a federated query string parameter to the logout URL:

https://appname.auth0.com/v2/logout?federated"

Answer 3

I have the same requirement at this point. I am also using Auth0.

From their documentation, I understand that calling the Auth0 logout endpoint will only clear the SSO cookie on Auth0 and It does not logout of all other applications. It is our responsibility to clear the Sessions for each application.

The same is explained using a Auth0 anjularjs sample here https://github.com/auth0/auth0-single-sign-out-sample

Hope this helps.

Answer 4

To log out the user from multiple applications, you can always check auth0 session has expired or not for the user by using the checkSession() method periodically. If there is no active session for the user, you can log out the user from your application.

// check every 15 minutes if the SSO session is still active

    setInterval(function() {
      // if the token is not in local storage, there is nothing to check (that is, the user is already logged out)
      if (!localStorage.getItem('userToken')) return;

      auth0.checkSession(function (err, data) {
        if (err) { 
          // if we get here, it means there is no session on Auth0,
          // then remove the token and redirect to #login
          localStorage.removeItem('userToken');
          window.location.href = '#login';
        }
      });
    }, 900000)

https://auth0.com/docs/sso/current/single-page-apps#single-log-out https://auth0.com/docs/migrations/guides/legacy-lock-api-deprecation#session-management

To clear the server session, all you need to do to redirect the user to /v2/logout endpoint. https://auth0.com/docs/logout/guides/logout-auth0

If the users are logging in using the external identity provider, you can force the user to logout from IDP by adding federated querystring parameter when calling /v2/logout endpoint https://auth0.com/docs/logout/guides/logout-idps

In the case of SAML IDP, you must configure SAML Logout URI in the connection settings. https://auth0.com/docs/logout/guides/logout-saml-idps