Hi Gacalin,
in case, the integration is ill open, another option worth considering is to avoid passing Shibboleth headers through the proxy chain and instead use an OAuth2/OIDC bridge. For example, Keycloak can act as an intermediary between SPID/SAML on one side and OAuth2/OIDC on the application side. The project
https://github.com/italia/spid-keycloak-provider
looks like a relevant candidate for this approach. In such a setup, OpenACS would not have to speak SPID/SAML directly, but would authenticate users via OAuth2/OIDC against Keycloak.
I should add that I have no practical SPID deployment experience myself. However, I am one of the implementers of the OAuth2 support in OpenACS, so from the OpenACS side the OAuth2/OIDC path is probably the integration route I would look at first. It keeps the SPID-specific complexity outside OpenACS and leaves OpenACS with the more standard task of mapping OAuth2/OIDC claims to users.
