Background / Problem statement

Customers can configure Horizon with multiple authentication methods, for example:

• Keystone credentials, and
• WebSSO via OIDC (e.g. ADFS) through Keystone federation / Apache `mod_auth_openidc`

In these deployments

• Horizon’s logout behavior can be confusing or incorrect because it does not consistently route logout based on the auth method actually used for the current session.
• this is especially visible for OIDC flows where logging out may need to trigger an external end-session/redirect flow, not just clear the Horizon session.

Current behavior (Actual)

• Horizon logout does not reliably apply the correct logout behavior per auth method in a multi-auth deployment.
• Post-logout redirect behavior can be inconsistent (or may not trigger the expected OIDC end-session behavior).
• customer gets redirected to a localhost

Expected behavior

When multiple auth methods are configured:

• If the user logged in with credentials, logout should behave as normal Horizon logout and return to the login page.
• If the user logged in with WebSSO/OIDC, Horizon logout should be able to route to an operator-configured logout URL
  for that auth method (e.g. Keystone OIDC redirect URI with logout=true), and do so safely (no open redirects).
• Redirect targets must be validated/allowlisted.