Open ID Connect (OIDC) and MFA

Product: PowerShell Universal
Version: 2.4.0

Unfortunately, I’m more familiar with the intricacies of SAML 2.0 than I am with Open ID Connect but I’m trying to draft up a feature request the following:

  • The ability to require MFA when authenticating using OIDC (Specify acr_values on auth request)
  • The ability to force reauthentication via OIDC to view a dashboard, as a toggleable option when defining a dashboard.

I think forcing a requirement of MFA for authentication is self-evident in this day-and-age but the reason to force reauthentication is that some workflows are so sensitive that we do not want to rely on an existing SSO claim at the time of execution and want to force a new one. In SAML-land, we just use ForceAuthn but not sure of the equivalent in OIDC (prompt=login ?)

Some useful dev resources:


I am not the well versed in this either. The heavy lifting of the OIDC implementation in PSU is done via the Microsoft.AspNetCore.Authentication.OpenIdConnect package. We mostly specify parameters as options to the configuration. It does look like forcing (prompting) reauth on routes is possible but I have no idea about MFA.

When using OIDC with AzureAD, you can configure MFA within the Azure AD system and then it prompts during authentication and PSU doesn’t actually have to do anything with the MFA prompt.

options.Events = new OpenIdConnectEvents
	OnRedirectToIdentityProvider = context =>
		context.ProtocolMessage.SetParameter("acr_values", Amr.Mfa);

		return Task.FromResult(0);
1 Like

@adam Any possibility of this?

If you use Set-PSUAuthenticationMethod, you can set the -Configure parameter. It accepts a script block and that allows you access directly to the options. It may work for this scenario.

Set-PSUAuthenticationMethod -Configure {

   $Options.Events.OnRedirectToIdentityProvider = {
       $Context.ProtocolMessage.SetParameter("acr_values", 'Mfa')
} # rest of OIDC parameters here

I can also open an issue for this. We added the configure parameter because there are so many options for every authentication provider.

1 Like