fredag den 27. maj 2011

Scripting ADFS 2.0 to make Sharepont 2010 relying party trust

I really wanted to use Set-ADFSRelyingPartyTrust –IssuanceTransformRules but for some weird reason no matter how I setup the paramteres I would just “screw” up the Claim Rules when watching the GUI so ended up using a ClaimRuleFile instead.

$snapin = Get-PSSnapin | where {$_.name -eq 'Microsoft.Adfs.PowerShell'}
if($snapin -eq $null){ Add-PSSnapin Microsoft.Adfs.PowerShell }

$Identifier = @(("https://" + $webappurl +"/_trust/"),('urn:sharepoint:' + $webappurl))
$rpt = Get-ADFSRelyingPartyTrust $webappurl
if(!$rpt) { $rpt = Add-ADFSRelyingPartyTrust -Identifier $Identifier -name $webappurl -EncryptionCertificateRevocationCheck None }
# Set-ADFSRelyingPartyTrust -TargetName $webappurl -EncryptionCertificateRevocationCheck None
Set-ADFSRelyingPartyTrust -TargetName $webappurl -Identifier $Identifier

$IssuanceAuthorizationRules = '@RuleTemplate = "AllowAllAuthzRule" => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");'
Set
-ADFSRelyingPartyTrust -TargetName $webappurl -IssuanceAuthorizationRules $IssuanceAuthorizationRules

$rSet = New-ADFSClaimRuleSet -ClaimRuleFile 'X:\SPS_2010_prov\IssuanceTransformRules.txt'
Set
-ADFSRelyingPartyTrust -TargetName $webappurl -IssuanceTransformRules $rSet.ClaimRulesString
# $IssuanceTransformRules = '@RuleTemplate = "LdapClaims" @RuleName = "Pass-through LDAP Claims" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";sAMAccountName,mail,tokenGroups;{0}", param = c.Value);'
#
Set-ADFSRelyingPartyTrust -TargetName $webappurl -IssuanceTransformRules $IssuanceTransformRules

#$samlEndpoint = New-ADFSSamlEndpoint -Protocol 'SAMLAssertionConsumer' -Uri ('https://' + $webappurl + '/_trust/') -Binding 'POST' -IsDefault $true -Index 0
#
Set-ADFSRelyingPartyTrust -TargetName $webappurl -SamlEndpoint $samlEndpoint

Set
-ADFSRelyingPartyTrust -TargetName $webappurl -WSFedEndpoint "https://$webappurl/_trust/"

#Set-ADFSRelyingPartyTrust -TargetName $webappurl -TokenLifetime 5


And heres the content on IssuanceTransformRules.txt (note its just a plain copy’n’paste from (Get-ADFSRelyingPartyTrust $webappurl).IssuanceTransformRules )


@RuleTemplate = "LdapClaims"
@RuleName = "Send LDAP Claims"
c:[Type
== "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";sAMAccountName,userPrincipalName,tokenGroups;{0}", param = c.Value);

Ingen kommentarer:

Send en kommentar