Azure SAML-based Sign-on - Help needed
Product: PowerShell Universal Version: 5.0.15
I am trying to hook up our PSU server to Azure SAML2.
But the documentation does not fit the GUI screens I see.
For now I am puzzled what to put where…
If anybody know how to get that going, any help appreciated.
I have access to the azure portal and need to match what I enter there to what PSU needs, and get PSU configured accordingly.
Thanks.
Edit:
Nevermind, I got it working.
Now need to get the role assignments sorted out.
Edit 2:
Works as well.
Edit 3:
policy scripts: yep.
I seem to always poke around for a long time, then finally ask in the forum, and then find a solution.
Wait! Not yet.
When I log off, it takes me back to the local user login page.
How can I change that?
Or how can I add a link to the normal login page?
It seems LoginPageLinks are gone in V5.
Recommended Answer
So, 5.0.16 brought a SAML2 login button. Great.
But it loops endless for me.
The “normal” way to log in via SAML2 works, which is just open a browser tab with the PSU URL, it redirects to Azure, and back to PSU. No issues.
Any ideas?
Edit:
Adam acknowleded here:
I opened an issue to track this. SAML2 Redirect Loop from Login Page · Issue #4075 · ironmansoftware/powershell-universal · GitHub Redirecting to the login page, even when using SSO, was actually a feature request that needs a configuration option to allow users to hide\disable the page completely and just redirect to the desired resource. Having a login page allows the user to select their authentication method when multiple are defined. That said, we need better logic. It shouldn’t redirect …
All Comments (4)
Our group used the OpenID Connect integration as openID offers more in being a current authentication stack. SAML while good is limited in its functionality and has its drawbacks. One of SAML’s drawbacks is the logout URL terminates all of your SAML session tokens for the whole browser session. So if you are logged into another service at your organization, SAML logout will log you out of that session as well. OIDC does not have this drawback.
Many thanks for your reply and the info.
I have been told to use SAML2 for now, so that is what follow.
Anyway it would be nice to have a link or button on the login page, allowing for SSO.
Most other application work that way, and that is what is expected from “my” app.
Actually it seems there is something not updated in PSU v5 docu.
It still talks about a loginpage script, while it is branding.ps meanwhile.
This script is responsible for configuring a custom login page. You can use the New-PSULoginpage and New-PSULoginPageLink in this file.
And the API for New-PSUBranding has an option for
-LoginPageLinks <LoginPageLink>
But the New-PSULoginPageLink is gone.
There is no such function for the branding page.
So something is not consistent.
Please bring back the links, or, better, allow for some code to show a button.
So, 5.0.16 brought a SAML2 login button. Great.
But it loops endless for me.
The “normal” way to log in via SAML2 works, which is just open a browser tab with the PSU URL, it redirects to Azure, and back to PSU. No issues.
Any ideas?
Edit:
Adam acknowleded here:
I opened an issue to track this. SAML2 Redirect Loop from Login Page · Issue #4075 · ironmansoftware/powershell-universal · GitHub Redirecting to the login page, even when using SSO, was actually a feature request that needs a configuration option to allow users to hide\disable the page completely and just redirect to the desired resource. Having a login page allows the user to select their authentication method when multiple are defined. That said, we need better logic. It shouldn’t redirect …