I have a requirement to use Keycloak behind IIS where some sort of SSO product is already integrated with IIS. Whatever this product is sets the REMOTE_USER header. It is easy enough to write a custom authenticator for Keycloak to use the REMOTE_USER header. However, Keycloak's Wildfly server (or its embedded Undertow) appears to be stripping out the header. 

Is there any way to configure Keycloak or its Wildfly to let the REMOTE_USER header pass through? Or are there any clever workarounds?

Thanks in advance.
Glenn