Quick Summary:
How can I configure the OpenIdServletFilter to use the
openid_identifier
https://www.google.com/accounts/o8/site-xrds?hd={DOMAIN_NAME}
where the URI portion of the identifier is only known from the URI of
an incoming HTTP request intercepted by the filter?

More Detailed Version:
I implemented the OpenIdServletFilter on my Google AppEngine domain
for the specific purpose of authenticating Google Apps account users.
This is in preparation for listing my app in the Google Apps
Marketplace.

The Marketplace requires that users will navigate to my site to a
specific URL. On my development server the target URL (which is
filtered by the OpenIdServletFilter) is
http://dev-vantage.appspot.com/app?hd=${DOMAIN_NAME}
where the user's google apps domain name will be autopopulated by
Google in their universal apps navigation scheme.  My task is to
authenticate the user in my site using OpenID without the user
encountering any prompts along the way.

So far, I've reached the point where if the user goes directly to the
URL
http://dev-vantage.appspot.com/app?openid_identifier=https://www.goog...{DOMAIN_NAME}
the authentication occurs properly using any authentic Goggle apps
domain name.  So, to finish up I need to figure out how to configure
the servlet filter to
1. strip the URI from an unauthenticated user's first request in order
to learn the user's Google Apps domain name
2. use that domain name to construct the full openid_identifier
parameter, including the required URI: hd=${DOMAIN_NAME}

Any help would be greatly appreciated.