Comment 3 for bug 1874705

With a control plane that has no outbound connectivity it's very important that the correct endpoints can be used/specified.

The horizon service itself must talk to keystone on the internal endpoint, whilst the communication between the end user browser, the IdP, horizon, and the public openstack APIs only happen via the external endpoint.

The use of HTTP_REFERRER as described in the bug report mixes the internal and external physical network contexts in a way which leads to websso being broken for some deployments, but it will work for others with less strict (or no... devstack?) isolation.

We are currently having to maintain a fork of horizon with https://review.opendev.org/722685 applied in order to get websso to work with a strictly segregated network. Comment #2 shows this is not a unique situation.