One question: do the instructions in the README apply also to UOA? At least one detail would be different: username has to use "uoa:" instead of "gsso:". I wonder whether we should let both backends use the same "signon:" prefix and never allow both of them to be active at the same time (as it is now anyway), to minimize confusion for users.