I'm facing a difficult setup where I have to configure single sign on, based on the logged in used on my tomcat application. I already took some steps which allow me to login via single sign on directly on my tomcat application by using waffle.
I have 1 server where I have a tomcat running and a IIS running (but this IIS will move to another server in the same domain in the future). I have the Tomcat running on port 8205 and the IIS configure to accept url's from authpoc.company.com. IIS does a redirect to localhost:8025 via URL Rewrite. My web.xml from IIS
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="ReverseProxyInboundRule1">
<match url="(.*)" />
<action type="Rewrite" url="http://localhost:8205/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
What works
- When opening the application directly on localhost:8205 on the server. I get a nice single sign on based on my domain user.
- When opening the application directly on the ip of the server. 192.168.1.1:8205. I can log in but single sign on does not work anymore. This I don't understand. (edit: solved, this is a setting in Internet explorer, see SSO waffle asking username and password for more information)
What doesn't work
- When redirecting from IIS, I don't get to login into my tomcat application. I have windows authentication enabled, with Negotiate and NTML enabled (in this sequence).
I read a lot on the internet but I can't find anyone with this particular setup. I don't really have the impression I'm doing something exotic. One possiblity is that I should connect IIS via AJP instead of a much simpeler URL rewrite.
any help is welcome! Thanks
I got an answer on the google groups saying this is not possible because of the reverse proxy counting as a hop.
https://groups.google.com/forum/#!topic/waffle-users/VCaawJMD0Mw
I'm going to try another approach