OpenStack Horizon supports single sign-on login through Keystone. When logging out after authenticating this way, the user should again be sent to keystone, so that keystone too terminates the session correctly. This doesn't happen however.
There is a setting called
LOGOUT_URL for doing exactly that, but it has no effect on what happens during logout. I filed bug 1747149 describing the issue.
Until that bug is resolved, this post will describe the workaround I'm using. While this is specific to OpenID Connect with
mod_auth_openidc, it should be the same with the exception of the url to redirect to.
Logging out of your identity provider
mod_auth_openidc, you can log out the user by redirecting them to
<IDENTITY_URL>/v3/auth/OS-FEDERATION/websso?logout=<redirect>. In this case
<redirect> refers to where the user is sent after a successful logout. It must be url encoded. It must also be a valid
redirect_uri for your identity provider, because
mod_auth_openidc will send you there to log out with your identity provider and set
So if Keystone is being served at
https://example.com/identity and Horizon is at
https://example.com/dashboard, your full logout path will look like this