We have done a proof of concept, and I was concerned that header crafting was an obvious exploit. What we have done to prevent this is use IP filtering on the IIS application, to only allow requests from the proxy / proxies. This way, you know all requests have been protected by SSO. The only way a request without the header will then arive at the application, is if there is a mis-configuration at the proxy / mod-osso level, and access can be immediately denied.