I ended up doing two things.
First, I created a new module using Not Found MVC as a template. In particular the InstallerModule code.
I added the following in system.web > httpModules:
<add name="InstallerModule" type="IgnoreShibboleth.InstallerModule, IgnoreShibboleth" />
I also added the same to system.webServer > modules.
All the code did was add in the ignore routes.
routes.IgnoreRoute("Shibboleth.sso/{isapiInfo}/{isapiDetails}");
routes.IgnoreRoute("Shibboleth.sso/{*pathInfo}");
The final step I was really close on. I added the following under system.webServer > handlers, immediately after the <clear />
:
<add name="Shib" path="*.sso" verb="*" modules="IsapiModule" scriptProcessor="{path-to}\lib\shibboleth\isapi_shib.dll" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode,bitness64" />
The last time wasn't required in the past, but seems necessary for something Orchard is doing.