I have a requirement to use Keycloak behind IIS where some sort of SSO product is already integrated with IIS. Whatever this product is sets the REMOTE_USER header. It is easy enough to write a custom authenticator for Keycloak to use the REMOTE_USER header. However, Keycloak's Wildfly server (or its embedded Undertow) appears to be stripping out the header.