Support SSL offloading

If the AA is deployed behind a load balancer, SSL client authentication might not be handled by the webserver running the AA but on an external host. In order to inject client certificate data (which is required to authorize the SP), an alternative header, such as `X-SSL-CLIENT-CERT` could be used.

This should be a configuration item, defaulting the current `SSL_CLIENT_CERT` value.