Deploy the Shibboleth SP behind a Reverse Web Proxy

Here's a short recipe for deploying a Shibboleth-protected resource behind another Webserver. This may come in handy if you can't modify the proxying (or frontend) webserver, e.g. because it doesn't support DSO, runs on an esoteric platform (AIX, HPUX, etc.) but you still have to integrate some Shibboleth-protected content in its namespace.
The reverse proxy handles all HTTP and HTTPS and speaks plain HTTP to the backend (be sure to use this only on a trusted network), so the Backend is completely invisible (except to the Proxy, of course).

Copying from SPForwardProxy here's a description of the flow of information:

Browser attempts to access https://mainsite.example.org/secure;
Proxy at mainsite.example.org intercepts the request and forwards it internally to backend.example.org/secure;
The <Location /secure> is protected by Shibboleth on the Backend;
The Shibboleth installation on the backend also intercepts the request and generates a redirect with a SHIRE value of https://mainsite.example.org/Shibboleth.sso/SAML/POST and target value of https://mainsite.example.org/secure (with the appropriate providerId per configuration);
Proxy also proxies /Shibboleth.sso to the Backend (besides /secure);
Browser user authenticates and bounces back to https://mainsite.example.org/Shibboleth.sso/SAML/POST with an authentication assertion;
Backend gets the the request from mainsite.example.org.
Backend queries for attributes, applies auth/z logic and generates and returns the page per usual.

Apache Proxy

Any old Apache with mod_proxy will do.

ProxyPass        /Shibboleth.sso/ http://backend.example.org/Shibboleth.sso/
ProxyPassReverse /Shibboleth.sso/ http://backend.example.org/Shibboleth.sso/
ProxyPass        /secure/         http://backend.example.org/secure/
ProxyPassReverse /secure/         http://backend.example.org/secure/

Backend

Apache

Apache 2.2 with mod_shib.

UseCanonicalName On
ServerName set to the scheme, ServerName and Port of the Proxy, see http://httpd.apache.org/docs/2.2/en/mod/core.html#servername
```
ServerName https://mainsite.example.org:443
```

`shibboleth.xml`

set Hostname in RequestMap to "mainsite.example.org", ignore scheme and port.
in Applications -> Sessions set (or leave the default) handlerURL="/Shibboleth.sso" and set handlerSSL="true"

Metadata

The Metadata describing the SP's ACS (configured at the IdP) also points to mainsite.example.org as this is also proxied to the Backend (see above).

<AssertionConsumerService index="1" isDefault="true"
  Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
  Location="https://mainsite.example.org/Shibboleth.sso/SAML/POST"/>
<AssertionConsumerService index="2"
  Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
  Location="https://mainsite.example.org/Shibboleth.sso/SAML/Artifact"/>

Browser not supported