Configure SAML Auth0 Single Logout (SLO)

Overview

Single Logout (SLO) is a SAML feature that ensures users are logged out from both Statista and their identity provider (IdP) when they initiate logout. This guide walks you through the configuration steps required to enable SLO for a customer's SAML connection.

Prerequisites

• Access to the customer's IdP configuration
• Access to Statista's Auth0 tenant
• Auth0 Management API credentials (for setting metadata flags)

Steps

1. Enable SLO on the Customer's IdP

The customer needs to enable SAML Single Logout (SLO) support in their IdP.

For Auth0 as IdP:

• Navigate to the SAML Add-On settings of the application
• Enable the SLO option and set the logout callback URL

Example configuration:

{
  "logout": {
    "callback": "https://dev.login.statista.com/logout",
    "slo_enabled": true
  }
}

For other IdPs:

• Consult the IdP's documentation for enabling SAML SLO
• Ensure the logout callback URL points to the appropriate Statista environment
• Note the SingleLogoutService URL provided by the IdP

2. Enable SLO in the Auth0 SAML Connection

1. Log into the Statista Auth0 tenant
2. Navigate to Authentication -> Enterprise -> SAML
3. Find and select the customer's SAML connection
4. Enable the "Enable Single Logout" option
5. Provide other logout configuration details as required by the customer's IdP:
   • Logout URL (SingleLogoutService endpoint)
   • Binding type (e.g., HTTP-Redirect or HTTP-POST)
   • Note: Not required for Auth0 as IdP

3. Set the slo_enabled Metadata Flag

The connection metadata in Auth0 must include an slo_enabled=true flag.

Important: This must be done via the Management API (not the dashboard).

Recommendation: Set this flag when creating the self-service SSO ticket for the customer to ensure it's not forgotten.

Example API call:

curl -X PATCH "https://{auth0-domain}/api/v2/connections/{connection-id}" \
  -H "Authorization: Bearer {management-api-token}" \
  -H "Content-Type: application/json" \
  -d '{
    "metadata": {
      "slo_enabled": true
    }
  }'

4. Test the Setup

Follow these steps to verify SLO is working correctly:

1. Log in via SAML SSO using the customer's connection
2. Verify the session cookie:
   • Check that the __sso cookie correctly persists the sloEnabled flag
   • You can inspect this in browser developer tools
3. Initiate logout from Statista
4. Verify the logout flow:
   • You should be logged out of both Statista and the IdP
   • Monitor network traffic to see a logout request being sent to the IdP's SingleLogoutService URL
5. Confirm complete logout:
   • Attempt to access a protected resource
   • You should be prompted to log in again at both Statista and the IdP

Troubleshooting

If SLO is not working:

• Session cookie missing sloEnabled flag: Verify the connection metadata was set correctly via the Management API
• No logout request to IdP: Check that "Enable Single Logout" is enabled in the Auth0 connection settings
• IdP not logging out: Verify the customer's IdP has SLO properly configured and the SingleLogoutService URL is correct
• Logout redirect fails: Confirm the logout callback URL in the IdP matches the Statista environment

References

• Log Users Out of SAML Identity Providers (Auth0)
• Azure Single Sign Out SAML Protocol - Microsoft identity platform | Microsoft Learn

---

Last updated: March 24, 2026 at 10:39

By: Axel Tetzlaff

📄 View source

Repository: CPE-Orga/sso-docs