diff --git a/controllers/nginx/pkg/template/template.go b/controllers/nginx/pkg/template/template.go
index 0e85f7cb15..9fbc46bed4 100644
--- a/controllers/nginx/pkg/template/template.go
+++ b/controllers/nginx/pkg/template/template.go
@@ -22,6 +22,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net"
+	"net/url"
 	"os"
 	"os/exec"
 	"strconv"
@@ -153,6 +154,7 @@ var (
 		"buildForwardedFor":           buildForwardedFor,
 		"trustHTTPHeaders":            trustHTTPHeaders,
 		"trustProxyProtocol":          trustProxyProtocol,
+		"buildAuthSignURL":            buildAuthSignURL,
 	}
 )
 
@@ -690,3 +692,23 @@ func trustProxyProtocol(input interface{}) bool {
 	return conf.Cfg.RealClientFrom == "tcp-proxy" ||
 		(conf.Cfg.RealClientFrom == "auto" && conf.Cfg.UseProxyProtocol)
 }
+
+func buildAuthSignURL(input interface{}) string {
+	s, ok := input.(string)
+	if !ok {
+		glog.Errorf("expected an 'string' type but %T was returned", input)
+		return ""
+	}
+
+	u, _ := url.Parse(s)
+	q := u.Query()
+	if len(q) == 0 {
+		return fmt.Sprintf("%v?rd=$request_uri", s)
+	}
+
+	if q.Get("rd") != "" {
+		return s
+	}
+
+	return fmt.Sprintf("%v&rd=$request_uri", s)
+}
diff --git a/controllers/nginx/pkg/template/template_test.go b/controllers/nginx/pkg/template/template_test.go
index 55dde56272..e330b9ce60 100644
--- a/controllers/nginx/pkg/template/template_test.go
+++ b/controllers/nginx/pkg/template/template_test.go
@@ -354,3 +354,19 @@ func TestBuildRateLimit(t *testing.T) {
 		}
 	}
 }
+
+func TestBuildAuthSignURL(t *testing.T) {
+	cases := map[string]struct {
+		Input, Output string
+	}{
+		"default url":       {"http://google.com", "http://google.com?rd=$request_uri"},
+		"with random field": {"http://google.com?cat=0", "http://google.com?cat=0&rd=$request_uri"},
+		"with rd field":     {"http://google.com?cat&rd=$request", "http://google.com?cat&rd=$request"},
+	}
+	for k, tc := range cases {
+		res := buildAuthSignURL(tc.Input)
+		if res != tc.Output {
+			t.Errorf("%s: called buildAuthSignURL('%s'); expected '%v' but returned '%v'", k, tc.Input, tc.Output, res)
+		}
+	}
+}
diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
index bc99eb331e..5d4fd19745 100644
--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@@ -727,7 +727,7 @@ stream {
             {{ end }}
 
             {{ if not (empty $location.ExternalAuth.SigninURL) }}
-            error_page 401 = {{ $location.ExternalAuth.SigninURL }};
+            error_page 401 = {{ buildAuthSignURL $location.ExternalAuth.SigninURL }};
             {{ end }}
 
             {{/* if the location contains a rate limit annotation, create one */}}
diff --git a/examples/external-auth/nginx/dashboard-ingress.yaml b/examples/external-auth/nginx/dashboard-ingress.yaml
index 642e38f5bf..f2682f6e52 100644
--- a/examples/external-auth/nginx/dashboard-ingress.yaml
+++ b/examples/external-auth/nginx/dashboard-ingress.yaml
@@ -2,7 +2,7 @@ apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
   annotations:
-    ingress.kubernetes.io/auth-signin: https://$host/oauth2/sign_in
+    ingress.kubernetes.io/auth-signin: https://$host/oauth2/start
     ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
   name: external-auth-oauth2
   namespace: kube-system