So going the iframe reveals an address like https://example.com/?remote=[InstanceID] (where InstanceID is replaced with the actual Instance ID) but going to this address just takes me to the ADS login so logging into it won't do anything (since the user is only on the local instance).
I would imagine your method is correct, and my initial thoughts were that the parameters after the domain are not passed through the proxy to the ADS. But now I am not sure about this because giving it different parameters (such as typing random characters) seems to lead to a blank page.
Anyway, if I try to go to https://example.com/?remote=[InstanceID] it does not seem to bring me to the specific instance page but rather the page for the ADS, and logging in just says "No access to specified instance". The console for the ADS just says "Authentication failure for user testuser from 127.0.0.1 - User is locked to instance [InstanceID]"
I think I need to have a little play and see whether the parameters are being passed properly, and perhaps even open the ports through iptables and allow only my IP address to see if the proxy is messing with anything. In the meantime, can you shine some light on this issue?
By the way, I do like the idea of this being done through subdomains/subdirectories in the future.