I am currently using the IIS URL Rewrite Module and Application Request Routing on a server in the DMZ to forward requests to a web application running on an internal server.
The application which is deployed on the internal server has SSO which includes Azure AD using OWIN pipeline and openIdConnect.
When a user selects the authenticate using AzureAD option instead of being redirected to the https://login.microsoftonline.com/<tenantname>/...
they are redirect to http://my.company.com/<tenantname>/... where http://my.company.com is the URL used to access the application from the DMZ.
The SSO works for all internal instances i.e. where request are not being forwarded in a reverse proxy scenario.
Why is this happening when using URL Rewrite and ARR?
Unchecking the Reverse rewrite host in response headers checkbox under Application Request Routing Cache > Server Proxy Settings solved this issue.
Reverse rewrite host in response headers (checked)
ARR will rewrite the host name in the location header of a 301 response to the original host.