Connecting PSU to an Azure App Proxy with Azure AD and OIDC

Hello guys,

I am trying to take the APIs we host in our local data center and publish them to the WWW with an Azure App Proxy . Conceptually it makes sense, however I am running into issues with authentication. Here’s a diagram of my basic architecture:

image664×672 29.8 KB

I can authenticate into Azure AD the first time, but it appears that after the initial Azure AD authentication PSU get’s hung up on on the OIDC authentication. I believe that PSU is trying to Authenticate again to Azure AD. I get a 500 error when I browse to my Azure Enterprise App URL.

image1113×474 13.4 KB

To test this out I disabled OIDC and was able to browse to the external login page for PSU without an issue.

image986×804 9.71 KB

So my question becomes two fold: 1. Is there a way to pass the auth token from the first Azure AD session so we aren’t doing OIDC the second time? and 2. If I want to enforce MFA and allow users and computers to access my on-prem instance of PSU (APIs and Dashboards) is this the best approach? Or should I just turn off OIDC and control everything from the App Proxy?

Comments and suggestions welcome - thanks

Product: PowerShell Universal
Version: 2.5.2

Updating this - I got this to work by doing the following:

1. Changing the Pre Authentication to ‘Passthrough’ under the blade in the Enterprise Application settings

image1005×99 3.58 KB

2. Setting Translate URLs / Headers to NO

image808×206 9.54 KB

3. Setting Assignment required to NO. This is required if you are using OIDC - my environment in PSU

image1023×362 20 KB

Hope this helps someone else

Further investigation on this I found that the only required Azure setting change is to set pre-authentication to ‘Passthrough’