idp - x509 auth behind nginx

Losen, Stephen C (scl) scl at
Fri Nov 16 05:54:29 EST 2018

Hi Ilya,

I suggest that you use authn/RemoteUser on the IDP and have nginx extract the username from the client cert and pass it to the IDP in a HTTP header.  I'm not familiar with nginx, but if it works anything like Apache httpd, then client cert data is loaded into variables, which the web server can filter and pass in HTTP headers to the IDP.  Or if your proxy uses AJP then you may be able to pass the username in the REMOTE_USER variable (not sure how).

Refer to the IDP wiki for authn/RemoteUser documentation.

When you enable authn/RemoteUser, the IDP redirects the browser to /idp/Authn/RemoteUser and expects the subsequent browser request to provide the username.

You configure nginx to require a client cert at the location /idp/Authn/RemoteUser and pass the username (taken from the client cert) to the IDP via the proxy.  Configure authn/RemoteUser on the IDP to fetch the username from REMOTE_USER or else from a HTTP header of your invention, such as "X-Remote-User".

Beware that HTTP headers are trivial to forge and that the IDP will blindly trust your header.  So ensure that all access to /idp/Authn/RemoteUser goes through nginx and that nginx removes any forged headers from the incoming browser request.

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
scl at    434-924-0640

-----Original Message-----
From: users [mailto:users-bounces at] On Behalf Of Ilya Rumyantsev
Sent: Friday, November 16, 2018 4:51 AM
To: users at
Subject: idp - x509 auth behind nginx

Hi all, I could not find any documentation on how to establish the x509 client login with a reverse proxy. 
I would like the nginx to handle the x509 client login. 

What headers would I need to pass to the shibboleth idp running
in a tomcat container? I just found a snippet from the very old apache config:

  <Location /idp/Authn/X509>
    SSLVerifyClient require
    SSLVerifyDepth 10
    SSLOptions -StdEnvVars +ExportCertData

The certificate needs to be evaluated by the shibboleth.

Thanks a lot
For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list