Horizon should use idp.wikimedia.org for the log-in interface instead of direct LDAP authentication.
This is likely much more complex than the same thing in Striker since it needs to interface with Keystone properly, and also unlike Striker this is blocked on T359552: Enable self-service IDP two-factor authentication management and the migration of existing 2FA credentials from Wikitech to IDP.