Hello Gustaf,
thank you for the suggestion.
I have already resolved the issue by simplifying the architecture and removing the Nginx layer from the authentication flow. We are now running everything directly through Apache with Shibboleth, and the headers are correctly reaching NaviServer/OpenACS.
Thank you also for sharing the SPID Keycloak provider project.
Best regards,
Gacalin