Switch to external SSO

.env.sample

@@ -7,5 +7,18 @@ DOMAIN=lasuite-docs.example.com
 
 LETS_ENCRYPT_ENV=production
 
+# NOTE: OpenID Connect (OIDC) single sign-on is **required**, see recipe README
+OIDC_OP_JWKS_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/certs
+OIDC_OP_AUTHORIZATION_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/auth
+OIDC_OP_TOKEN_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/token
+OIDC_OP_USER_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/userinfo
+OIDC_RP_CLIENT_ID=impress
 # FIXME: Move to docker secret
 OIDC_RP_CLIENT_SECRET=example
+OIDC_RP_SIGN_ALGO=RS256
+OIDC_RP_SCOPES="openid email"
+LOGIN_REDIRECT_URL=https://${DOMAIN}
+LOGIN_REDIRECT_URL_FAILURE=https://${DOMAIN}
+LOGOUT_REDIRECT_URL=https://${DOMAIN}
+OIDC_REDIRECT_ALLOWED_HOSTS='["https://auth.${DOMAIN}", "https://${DOMAIN}"]'
+OIDC_AUTH_REQUEST_EXTRA_PARAMS="{'acr_values'='eidas1'}"