Can I use IIS to do ActiveDirectory single-sign-on for another website?
- by brofield
I'm trying to add Active Directory single-sign-on support to an existing SOAP server. The server can be configured to accept a trusted reverse-proxy and use the X-Remote-User HTTP header for the authenticated user. I want to configure IIS to be the trusted proxy for this service, so that it handles all of the Active Directory authentication for the SOAP server.
Basically IIS would have to accept HTTP connections on port X and URL Y, do all the authentication, and then proxy the connection to a different server (most likely the same X and Y).
Unfortunately, I have no knowledge of IIS or AD (so I am trying my best to learn enough to build this solution) so please be gentle. I would assume that this is not an uncommon scenario, so is there some easy way to do this?
Is this sort of functionality built into IIS or do I need to build some sort of IIS proxy program myself?
Is there a better option for getting the authentication done and the X-Remote-User HTTP header set than requiring IIS?
Update:
For example, what I am trying to create is:
[CLIENT] [IIS] [AD] [SOAP-SERVER]
1. |---------------->|
2. |<--------------->|<---------->|
3. |--------------------------->|
4. |<---------------------------|
5. |<----------------|
1. POST to http://example.com/foo/bar.cgi
2. Client is not authenticated, so do authentication
3. Once validated, send request to server (X-Remote-User: {userid})
4. Process request, send response
5. Forward response to client
I need to know how to configure IIS to do the automatic authentication of the user using AD, and then to proxy the request to the actual server, sending the userid in the X-Remote-User HTTP header.