OpenStack Horizon supports single sign-on login through Keystone. When logging out after authenticating this way, the user should again be sent to keystone, so that keystone too terminates the session correctly. This doesn't happen however.

There is a setting called LOGOUT_URL for doing exactly that, but it has no effect on what happens during logout. I filed bug 1747149 describing the issue.

Until that bug is resolved, this post will describe the workaround I'm using. While this is specific to OpenID Connect with mod_auth_openidc, it should be the same with the exception of the url to redirect to.

Logging out of your identity provider

When using mod_auth_openidc, you can log out the user by redirecting them to <IDENTITY_URL>/v3/auth/OS-FEDERATION/websso?logout=<redirect>. In this case <redirect> refers to where the user is sent after a successful logout. It must be url encoded. It must also be a valid redirect_uri for your identity provider, because mod_auth_openidc will send you there to log out with your identity provider and set redirect_uri to <redirect>.

So if Keystone is being served at https://example.com/identity and Horizon is at https://example.com/dashboard, your full logout path will look like this https://example.com/identity/v3/auth/OS-FEDERATION/websso?logout=https%3A%2F%2Fexample.com%2Fdashboard.