SAML Single Sign-On with URL Rewrites

SAML Single Sign-On with URL Rewrites

Good afternoon,

My organization recently purchased a ME ServiceDeskPlus on-premise license and I had the task of setting it up. Since we're running multiple ManageEngine services on the same server, I utilized IIS Reverse Proxy URL Rewrites to redirect incoming HTTPS traffic over 443 to the default ports of our various services. In this case:

https://servicedesk.company.com:443 rewrites to http://localhost:8080 to get to ServiceDesk.

That all functions perfectly fine, however things seem to get weird when I try to configure Single Sign-On to our local ADFS server. I set up everything pertaining to IDP login and logout URLs and added the relying party trust, etc. But when I click the "Log in with SAML Single Sign On" link on the login page to ServiceDesk, the application is routing the request to the wrong URL.

For instance: ServiceDesk is configured to route SSO requests to https://sts.company.com/adfs/ls. However, when I click the Single Sign-On button, the browser is sending the request to https://servicedesk.company.com/adfs/ls instead.

I even tried configuring an additional URL redirect rule to take that specific URI and redirect it to sts.company.com as proper. When I do that, the SAML2 authentication actually succeeds on the ADFS side, but when it directs me back to ServiceDesk, I receive an error stating SAML authentication failed with error code 42

Looking through the documentation this appears because the SAML reply URL was different from the URL the application thinks it sent the request to.

Any thoughts on how I can get the application to co-operate?
Thanks!