The login handler is now a simpler, standalone http.Handler
wrapper. The separation between the SSO application and the login
handler is now fairly complete.

The login handler no longer forces the user to a specific workflow via
session cookies, but it works on a request-by-request basis instead,
which makes the "back" button works as expected (allowing the user to
bail out of a broken 2FA process, for example).

Session handling has been simplified as well: there is a single
session for authentication and login state, which should remove the
opportunity for session synchronization errors.

And fix a bug with inline XML descriptors.

One can now restrict providers to specific SSO groups.

Add methods to the httpsso package to retrieve authentication info
from the current session (by passing an *http.Request object).

Vertically align SiteLogo with form

See merge request !5

Fix documentation and add missing logo if configured

See merge request !4

Temporary workaround if we do not want to maintain a whitelist.

And move the CORS handler only on the homepage endpoint.

This allows eventual future usage of 307 redirects and us accepting
POST requests without having to decode the request body.

The sso service endpoint should send the proper CORS headers and
respond to OPTIONS (for CORS prefetches) so that XmlHttpRequests on
authenticated sites can (partially) work.

Compute the origin properly.

Let the user pick 2FA method

See merge request !2

Add links 'use a numeric / hardware token instead' to the 2FA login
pages, using the list of available 2FA mechanisms found in the
auth Response.

First step towards letting users pick the method they prefer.

This caused the SSO server to generate bad form links, which caused a
302, preventing POST requests to succeed.

Add some template customization options in the config

See merge request !1