[PLT-3581] Preserve existing query params in GetSignOutURL

url.Values{} was overwriting SignOutURL's query string entirely,
dropping params like ?appId=5784 when adding the rd redirect.
Use redirect.Query() to merge instead.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: majimenez-stratio

providers/sis.go

@@ -274,8 +274,8 @@ func (p *SISProvider) GetSignOutURL(redirectURI string) string {
 	// copy URL
 	redirect := *p.SignOutURL
 	if redirectURI != "" {
-		v := url.Values{}
-		v.Add("rd", redirectURI)
+		v := redirect.Query()
+		v.Set("rd", redirectURI)
 		redirect.RawQuery = v.Encode()
 	}
 	return redirect.String()

providers/sis_test.go

@@ -61,6 +61,41 @@ func TestSISProviderOverrides(t *testing.T) {
 	assert.Equal(t, "profile", p.Data().Scope)
 }
 
+func TestSISProviderGetSignOutURL(t *testing.T) {
+	tests := []struct {
+		name        string
+		signOutURL  string
+		redirectURI string
+		expected    string
+	}{
+		{
+			name:        "no redirect preserves sign-out URL as-is",
+			signOutURL:  "https://sis.example.com/sso/logout",
+			redirectURI: "",
+			expected:    "https://sis.example.com/sso/logout",
+		},
+		{
+			name:        "redirect appended as rd param",
+			signOutURL:  "https://sis.example.com/sso/logout",
+			redirectURI: "https://app.example.com/home",
+			expected:    "https://sis.example.com/sso/logout?rd=https%3A%2F%2Fapp.example.com%2Fhome",
+		},
+		{
+			name:        "existing query params preserved when adding rd",
+			signOutURL:  "https://autentica.example.com/logout?appId=5784",
+			redirectURI: "https://app.example.com/home",
+			expected:    "https://autentica.example.com/logout?appId=5784&rd=https%3A%2F%2Fapp.example.com%2Fhome",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			u, _ := url.Parse(tt.signOutURL)
+			p := NewSISProvider(&ProviderData{SignOutURL: u}, options.SISOptions{})
+			assert.Equal(t, tt.expected, p.GetSignOutURL(tt.redirectURI))
+		})
+	}
+}
+
 func TestSISProviderRedeem(t *testing.T) {
 	b := testSISBackend(map[string]string{
 		"/sso/oauth2.0/accessToken": "access_token=imaginary_access_token&expires=10000",