Using IIS Attribute Request Routing to proxy access to Shibboleth IdP

Microsoft's IIS Application Request Routing can be used to act as a reverse proxy for Shibboleth IdP hosted on a Tomcat. This is suited to oragnisations with Windows-only environments.

1. Install Application Request Routing 2.5 using the Web Platform Installer. Once installed, verify that Application Request Routing appears in the IIS Managmement Console as shown in Figure 1.

2. Creat a server farm in the IIS Management console; highlight the 'Server Farms' node in the left panel of the IIS Management Console and select 'Create Server Farm' from the right hand side action menu. You will be prompted for a name for the farm, enter 'Backend Tomcats' as the name the farm as shown in Figure 2

3. Click 'Next', you will be prompted to enter details of the backend server (Tomcat)  enteri the IP address that Tomcat listens on (usually 127.0.0.1) and add the port  (usually 8080) by clicking on 'advanced settings' as shown in Figure 3.

Figure 3

4. When you click 'Finish' you will be prompted to create a URL rewrite rule to 'route all incomming requests to the server farm automatically', click 'Yes'.

5. Re-configure the generic URL rewrite rule that IIS created to only pass requests to tomcat  when the request contaings '/idp/' by selecting the server farm you just created and then double-clicking 'Routing Rules'. Disable the 'SSL off-loading' checkbox and select 'URL Rewrite' under 'Advanced Routing' on the right hand side of the console. You should see one Rule called 'ARR_BackendTomcats', select that rule and then click 'Edit...' under 'Inbound Rules'. You will be presented with the 'Edit Inbound Rule' dialogue as shown in Figure 4.

Figure 4

5. Under  'Pattern', change the wildcard  '*' to '*idp/*', the change 'Path' from '{R:1}' to '/idp/{R:2}' and click 'Apply'. IIS should now pass URL requests containing 'idp/' to Tomcat, you can test this at the URL https://myserver.mydomain/idp/profile/Status, you should see an 'OK' message (you can check for the same 'ok' message by bypassing IIS and going direct to tomcat at the URLhttp://localhost:8080/idp/profile/Status).