2x Azure App Service Web App with Container-Image from Docker-Hub (ironmansoftware/universal:3.7.10-ubunutu-20.04-ps-7.3.0)
Azure SQL Server + DB as backend
Azure DevOps Git Repository for PowerShell Universal Configuration Repository
OIDC SSO with an Azure App Registration
Lets call the app service containers:
APP001
APP002
Our deployment works very well if we browse the app-service urls from each container seperately (https ://APP001.azurewebsites.net or https ://APP02.azurewebsites.net)
As we want to use this deployment as an high-available setup, we want to use a single url for both servers (e.g. https ://APP-HA.ourdomain.com) (a frontend load balancer)
In our case, we use Azure Application Gateway in Standard SKU v1. This works very well for the local (non-sso) login (https ://APP-HA.ourdomain.com/login → bypass oidc)
But as soon as we want to use OIDC and browse to https ://APP-HA.ourdomain.com, PowerShell Universal is redirecting us to APP01.azurewebsites.net/auth/signin-oidc, but is should redirect us to the HA url: https ://APP-HA.ourdomain.com/auth/signin-oidc
Unfortunately, we can only define a relative path in OIDC configuration (“Authentication__OIDC__CallbackPath”: “/auth/signin-oidc”)
How can we redirect to the custom high-available domain after successful login in Azure AD?
The redirectUri in the Azure App Registration is pointing to the high-available uri (https ://APP-HA.ourdomain.com)
It looks like we need to make a tweak to the forwarded headers logic in PSU. The last header (X-Forwarded-Host) is not being processed. It appears we are only passing along the original client IP and protocol. This is why it switches to HTTPS but doesn’t change the forwarded host name.
Obviously, this is a little tweak on our end but will require some testing to ensure that it works for you. I can get this into tonight’s nightly build and deploy a preview docker image if that works for you.
@adam i have seen you already published the 3.7.12 nightly build with the changes on the X-Forwarded-Host header. Thank you for the very quick implementation!