---
title: Proxy client authentication
description: To selectively perform client certification authentication on behalf of PingFederate, configure a front-end proxy or load balancer.
component: x509
page_id: x509:x509_certificate_integration_kit:pf_x509_certificate_ik_proxy_client_authentication
canonical_url: https://docs.pingidentity.com/integrations/x509/x509_certificate_integration_kit/pf_x509_certificate_ik_proxy_client_authentication.html
revdate: June 17, 2024
---

# Proxy client authentication

To selectively perform client certification authentication on behalf of PingFederate, configure a front-end proxy or load balancer.

By configuring proxy client authentication, TLS is terminated at the proxy and the headers are passed back to PingFederate for validation by the X.509 Certificate IdP Adapter. This approach also allows you to have all traffic arrive on TCP port 443.

Learn more about configuring proxy client authentication for your product:

* [Configure incoming proxy settings](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_systemoptionstasklet_systemoptionsstate.html) in the PingFederate documentation

* [Creating header identity mappings](https://docs.pingidentity.com/pingaccess/latest/pingaccess_user_interface_reference_guide/pa_creating_header_identity_mappings.html) and [Defining engine listeners](https://docs.pingidentity.com/pingaccess/latest/pingaccess_user_interface_reference_guide/pa_defining_engine_listeners.html) in the PingAccess documentation