<VirtualHost *:80>
ServerName sso.opensuse.org
RewriteEngine on
RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT]
# This is for mapping $username.sso.o.o -> sso.o.o/id/$username
RewriteEngine on
RewriteMap lowercase int:tolower
RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.sso\.opensuse\.org$
RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
RewriteRule ^([a-z0-9-]+)\.sso\.opensuse\.org/.* /openid/id/$1/ [PT]
Alias /ui /usr/share/ipsilon/ui
Alias /themes /usr/share/ipsilon/themes
WSGIScriptAlias / /usr/lib/ipsilon
WSGIPassAuthorization On
WSGIDaemonProcess ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000
WSGIApplicationGroup %{GLOBAL}
<Location />
WSGIProcessGroup ipsilon
</Location>
<Location /login/gssapi/negotiate>
AuthName "GSSAPI Single Sign On Login"
GssapiCredStore keytab:/etc/keytabs/ipsilon-keytab
AuthType GSSAPI
# This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
GssapiSSLonly Off
GssapiLocalName on
Require valid-user
ErrorDocument 401 /login/gssapi/unauthorized
ErrorDocument 500 /login/gssapi/failed
</Location>
<Directory /usr/lib>
Require all granted
</Directory>
<Directory /usr/share/ipsilon>
Require all granted
</Directory>
</VirtualHost>