Working with an ADFS Proxy server.

[Cantor, Scott]

>The problem is that the ADFS proxy (sso.a.example.com) requires the
>"Destination" XML attribute be set to "adfs.a.example.com".

That's a bug. The analagous scenario is a load balancer doing SSL
offloading. Even though the back end server is at a different physical
location, it must pretend to be the virtual location of the load balancer
when it performs such comparisons. People screw this up with the SP and
IdP all the time, because it's the web server's responsibility to do these
adjustments.

Note that IIS does not support those adjustments either, which is probably
relevant to an ADFS situation.

If MS supports a proxied scenario but does not support virtualizing the
back end, you can't make it work.

>The ADFS administrators says that the HTTP POST/Redirect URLs need to
>be set to sso.a.example.com while the "Destination" AuthnRequest
>attribute must be set to "adfs.a.example.com". How can I achieve this?

You can't. Well, you could change the code (or add plugins that duplicate
but tweak this value), but I'm ignoring that option.

I could imagine some very ugly hacks such as an option to override the
Destination value based on some kind of mapping table, but that's not
implemented now.

>How have other people interoperated with ADFS proxies?

I would imagine they have not. A page to document things that don't work,
or how to work around issues is here:

https://wiki.shibboleth.net/confluence/display/SHIB2/MicrosoftInterop

-- Scott