SAML behind nginx

Hi folks,

I am trying to implement SSO in my network. As I understood things, I need to have the saml service reachable from the outside - which is the UCS server. To achieve this, I configured my nginx reverse proxy like this:

upstream ucs {

server {
        listen 443 ssl http2;
        include /etc/nginx/brotli_params;

        ssl_certificate     /path/to/cert
        ssl_certificate_key /path/to/key
        proxy_ssl_trusted_certificate ucs-root-ca.crt;

        ssl_dhparam ssl/dhparam-sso.pem;

        access_log /var/log/nginx/sso_access_log main_ext;
        error_log /var/log/nginx/sso_error_log warn;

        location / {
            proxy_pass  https://ucs;
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

            ### Set headers ####
            proxy_set_header        Accept-Encoding   "";
            proxy_set_header        Host            $host;
            proxy_set_header        X-Real-IP       $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

            proxy_set_header        X-Forwarded-Proto $scheme;
            add_header              Front-End-Https   on;
            proxy_redirect     off;


As I found out, the SSO webservice seems to use SNI, my first guess was to add this to my config

            proxy_ssl_name ucs-sso.ucs.internal-domain;
            proxy_ssl_server_name on;

which resulted in a Misdirected Request error…
By now I’m running out of ideas - could someone point me into the right direction?

You are right, Apache at UCS use SNI for SSL. But instead of changing the URL at the nginx side, the prefered way is to set the external fqdn for SSO at UCS side, see

You may also have a look at our Cool Solution - Reverse Proxy for UCS Portal and Services, where we have an example configuration for nginx.

I wasn’t sure on how to tackle this, as I didn’t want to change too much at the UCS side - but thanks. That did it. The only problem remaining is the UCS asking for some additional authentication…