[Freeipa-users] Framework Use of GSS Proxy

Hi, I'm looking to understand a little better how the framework is using GSS Proxy to authenticate the user who is accessing the tools. The information here (https://www.freeipa.org/page/Troubleshooting/PrivilegeSeparation) is nice and I've been reading through the numerous libraries, python files, and configs... but I can't find how they are telling the WSGI app to use GSS to impersonate. Any guidance is appreciated, reading suggestions, examples, what have you :)