# nginx.conf
...
# if the ext auth server, like heimdall returns `401 not authorized`
# then forward the request to the error401 block
error_page 401 = @error401;
location @error401 {
# redirect to the IdP for login
return 302 https://your-idp-service/login;
# you usually want your IdP to redirect back upon successful authentication
# typically, you can achieve that by adding such query parameters like
# return_to set to the value of the current request
}