frontend.conf

# This is the backend application we are protecting with SAML SSO
upstream my_backend {
    zone my_backend 64k;
    server localhost:8088;
}

# Custom log format to include the 'NameID' subject in the REMOTE_USER field
log_format saml_sso '$remote_addr - $saml_name_id [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

# The frontend server - reverse proxy with SAML SSO authentication
#
server {
    # Functional locations implementing SAML SSO support
    include conf.d/saml_sp.server_conf;

    # Reduce severity level as required
    error_log /var/log/nginx/error.log debug;

    listen 8010; # Use SSL/TLS in production

    location / {
        # When a user is not authenticated (i.e., the "saml_access_granted"
        # variable is not set to "1"), an HTTP 401 Unauthorized error is
        # returned, which is handled by the @do_samlsp_flow named location.
        error_page 401 = @do_samlsp_flow;

        if ($saml_access_granted != "1") {
            return 401;
        }

        # Successfully authenticated users are proxied to the backend,
        # with the NameID attribute passed as an HTTP header
        proxy_set_header username $saml_name_id;

        proxy_pass http://my_backend; # The backend site/app

        access_log /var/log/nginx/access.log saml_sso;
    }
}

# vim: syntax=nginx