I was working with Tech Svcs and Security over at AIS. They were extremely helpful with the hands-off implementation via Apache/IIS. This is proly the route he should take.
For my app, I just made the HTTP SOAP calls in the application. It's not that hard, and provides more flexible, albeit less scalable, solution. I just needed simple & quick AuthN for a single app.