Let me show you a common pattern for cross-application authentications you can use with Nginx:

1) Build standalone service called auth_service, work independently from the web applications as required

2) Each subdomain apps will have an individual location that proxies to the same authentication service

location = /auth {
  proxy_pass http://auth_service.localhost/authenticate;
  proxy_pass_request_body off;
  proxy_set_header Content-Length "";
  proxy_set_header X-Original-URI $request_uri;
}

3) Individual web app uses "/auth" location to pass login/pass (based on POST data, headers or temporary tokens)

4) Standalone service's handler "/authenticate" accepts web apps login/pass and returns 200 or 401 if failed

The root of this approach is "/auth" location sits on each own subdomain based application, the server side dispatches the call to the single authentication end point which can be re-used efficiently and you can avoid code duplication.

This module Auth Request is not build by default, but comes with source code. Before use just compile Nginx with --with-http_auth_request_module option.

UPDATE: Since Nginx 1.5.4 this plugin comes in standard distribution without require to compile it in separately.

I would suggest a custom module which gets data from a database based on who logged in, this way you manage from a central point and can set whatever you want based on whatever is in the database, from the other side you synchronize the database with authentication sources.

A client always has the same login interface, nginx always communicates with the same authentication source in the same way, you only need to manage the database and its interfaces to the authentication sources.

client <> nginx <> database <> set values where client is going and is allowed to do.