@fbartels
Thx for the advice and reference. While reading through it this seems to be a bit drastic and disruptive to change the FQDN of sso itself.
I was looking therefore into the possibility to reverse proxy from id.domain.com to ucs-sso.intern.domain.com.
So far I was not able to get a working config. I tried this one https://help.univention.com/t/o365-sso-tagliches-login/13031, which is supposed to work:
<VirtualHost *:443>
ServerName id.domain.com
ServerSignature on
SSLEngine on
SSLProxyEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile "crt"
SSLCertificateKeyFile "key"
<ifModule mod_security2.c>
SecRuleEngine off
</ifModule>
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / https://ucs-sso.intern.domain.com/
ProxyPassReverse / https://ucs-sso.intern.domain.com/
ErrorLog "/var/log/httpd/error_ucs-sso_log"
CustomLog "/var/log/httpd/access_ucs-sso_log" combined
</virtualHost>
However the config leads to an endless loop where apache creates worker processes until the limit is reached and the whole application is blocked.
UPDATE:
In order to minimize sources of errors I redirected to http:// instead of https:// now I just get an error page in my browser saying “redirection error” instead of an endless loop.