current recommended practice, proxy in front of several protected sites

[Steven Carmody]

Hi,

One of our depts has decided to move to using the central campus 
Shib-SSO service to control access to many of their web sites. They 
would prefer to avoid installing a SHib SP on all of those servers (yes, 
I know, "google puppet" ;-) ). They would prefer standing up a proxy, 
and sending all traffic thru the proxy in order to access the various 
protected resources on other servers. I assume they want the SAML 
attribute values sent thru to the backend servers, for use in access 
control decisions.

What's the current "recommended practice, and software" for doing this ? 
People used to use simplesamlphp to do this; there's now SATOSA; there 
are probably other options, too.

And, are there pages that can be shared with this dept describing how 
this works, how to organize it, etc ?

Thanks in advance for all suggestions.