diff --git a/pipeline/mutate/mutator_noop.go b/pipeline/mutate/mutator_noop.go
index 6cab227bb3..421afa6eed 100644
--- a/pipeline/mutate/mutator_noop.go
+++ b/pipeline/mutate/mutator_noop.go
@@ -23,7 +23,22 @@ func (a *MutatorNoop) GetID() string {
 }
 
 func (a *MutatorNoop) Mutate(r *http.Request, session *authn.AuthenticationSession, config json.RawMessage, _ pipeline.Rule) error {
+	currentSessionHeaders := session.Header.Clone()
 	session.Header = r.Header
+	if session.Header == nil {
+		session.Header = make(map[string][]string)
+	}
+
+	for k, v := range currentSessionHeaders {
+		var val string
+		if len(v) == 0 {
+			val = ""
+		} else {
+			val = v[0]
+		}
+		session.SetHeader(k, val)
+	}
+
 	return nil
 }
 
diff --git a/pipeline/mutate/mutator_noop_test.go b/pipeline/mutate/mutator_noop_test.go
index ad1f5c1336..f44cad53db 100644
--- a/pipeline/mutate/mutator_noop_test.go
+++ b/pipeline/mutate/mutator_noop_test.go
@@ -33,6 +33,16 @@ func TestMutatorNoop(t *testing.T) {
 		assert.EqualValues(t, r.Header, s.Header)
 	})
 
+	t.Run("method=mutate/case=ensure authentication session headers are kept", func(t *testing.T) {
+		r := &http.Request{Header: http.Header{"foo": {"foo"}}}
+		s := &authn.AuthenticationSession{Header: http.Header{"bar": {"bar"}}}
+		combinedHeaders := http.Header{"foo": {"foo"}}
+		combinedHeaders.Set("bar", "bar")
+		err := a.Mutate(r, s, nil, nil)
+		require.NoError(t, err)
+		assert.EqualValues(t, r.Header, combinedHeaders)
+	})
+
 	t.Run("method=validate", func(t *testing.T) {
 		conf.SetForTest(t, configuration.MutatorNoopIsEnabled, true)
 		require.NoError(t, a.Validate(nil))