Hi, Adrian.
You are on the right track. You just have missed one important part. OIDC has a protocol for dynamical discovery of the appropriate OIDC Provider for this user ID (like, for uid user@example.com it can query example.com domain and find out what IdP to use), please refer to this [specification](https://openid.net/specs/openid-connect-discovery-1_0.html) for details. mod_auth_openidc supports it, of course, but AFAIK, it isn't configured by default. But it also provides a simplified approach, you just need to create a file containing the data of the same format that would be returned to RP at the end of discovery process.
According to this [HOW-TO](https://github.com/pingidentity/mod_auth_openidc/blob/master/README.md):
> OIDCMetadataDir `<somewhere-writable-for-the-apache-process>/metadata`
> OIDCMetadataDir points to a directory that contains files that contain per-provider configuration data. For each provider, there are 3 types of files in the directory:
You will be particularly interested with this type of files:
> `<urlencoded-issuer-value-with-https-prefix-and-trailing-slash-stripped>.provider` contains (standardized) OpenID Connect Discovery OP JSON metadata where each name of the file is the url-encoded issuer name of the OP that is described by the metadata in that file.
You need to create a file with the name adhering to the mentioned format, and put your Gluu's OP's metadata in it. You can get it by querying your Gluu instance with this url: [https://your.gluu.host.name/.well-known/openid-configuration](https://your.gluu.host.name/.well-known/openid-configuration)
Please also verify that the OS on the host, where your test website using mod_auth_openidc is running, doesn't have selinux running in "Enforcing" mode. If it's the case you either need to switch it to "Permissive" or disable it; otherwise you will need to additionally configure extended security permissions for some of the configuration related files/directories.