...
As an example, consider a proxy or load balancer that runs at "https://service.example.org", and that sits in front of a pair of IIS servers running on port 8080 without TLS enabled. The actual HTTP request to one of those servers might represent the URL "http://ws1prod.example.org:8080"
If the SP relies on IIS to tell it what to do (which is what applications should do), it will produce redirects or reference itself in SAML messages using the latter URL, and not the former. That's broken. This is why IIS does not support this use case and why you shouldn't use it that way. Apache supports this. Use Apache.
...
The following attributes are supported:
Name | Type | Required? | Default | Description |
|---|---|---|---|---|
id | string | Y | The IIS instance ID of the web site to protect. Newer IIS versions actually display this value in the administration tool. | |
name | string | Y | Canonical logical hostname for the web site | |
port | integer | 80 | Logical port for requests if the physical request does not include TLS | |
sslport | integer | 443 | Logical port for requests if the physical request includes TLS | |
scheme | string | http or | Logical scheme for requests, the default depending on the physical use or non-use of TLS | |
useVariables | boolean | value from <ISAPI> element | Controls whether attributes are passed to the application as Server Variables | |
useHeaders | boolean | value from <ISAPI> element | Controls whether attributes are passed as HTTP Headers. This setting should be avoided, but is present to provide a level of compatibility with applications developed against the old ISAPI extension. |
Child Elements
Element | Cardinalty | Description |
|---|---|---|
<Alias> | 0 more | Rarely-used child element that allows a web site to be accessed via alternate canonical URLs without causing redirects to rewrite the hostname into the primary name. This requires that you duplicate any RequestMapper settings for each combination of URL attributes you want to allow. |