AdfsRelyingPartyTrust - X-Guardian/AdfsDsc GitHub Wiki
AdfsRelyingPartyTrust
Parameters
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Name | Key | String | Specifies the friendly name of this relying party trust. | |
| AccessControlPolicy Name | Write | String | Specifies the name of an access control policy. | |
| AccessControlPolicy Parameters | Write | MSFT_AdfsAccessControlPolicyParameters | Specifies the parameters and their values to pass to the Access Control Policy. | |
| Additional AuthenticationRules | Write | String | Specifies the additional authorization rules to require additional authentication based on user, device and location attributes after the completion of the first step of authentication. Note: These rules must only be configured after there is at least one authentication provider enabled for additional authentication. | |
| AdditionalWSFed Endpoint | Write | StringArray[] | Specifies an array of alternate return addresses for the application. This is typically used when the application wants to indicate to AD FS what the return URL should be on successful token generation. AD FS requires that all acceptable URLs are entered as trusted information by the administrator. | |
| AutoUpdateEnabled | Write | Boolean | Indicates whether changes to the federation metadata by the MetadataURL parameter apply automatically to the configuration of the trust relationship. If this parameter has a value of True, partner claims, certificates, and endpoints are updated automatically. | |
| ClaimAccepted | Write | StringArray[] | Specifies an array of claims that this relying party accepts. | |
| ClaimsProviderName | Write | StringArray[] | Specifies the name of the claim provider. | |
| Delegation AuthorizationRules | Write | String | Specifies the delegation authorization rules for issuing claims to this relying party. | |
| Enabled | Write | Boolean | Indicates whether the relying party trust is enabled. | |
| EnableJWT | Write | Boolean | Indicates whether the JSON Web Token (JWT) format should be used to issue a token on a WS-Federation request. By default, SAML tokens are issued over WS-Federation. | |
| EncryptClaims | Write | Boolean | Indicates whether the claims that are sent to the relying party are encrypted. | |
| EncryptedNameId Required | Write | Boolean | Indicates whether the relying party requires that the NameID claim be encrypted. | |
| Encryption Certificate RevocationCheck | Write | String | Specifies the type of validation that should occur for the encryption certificate it is used for encrypting claims to the relying party. | None, CheckEndCert, CheckEndCertCacheOnly, CheckChain, CheckChainCacheOnly, CheckChainExcludeRoot, CheckChainExcludeRootCacheOnly |
| Identifier | Write | StringArray[] | Specifies the unique identifiers for this relying party trust. No other trust can use an identifier from this list. Uniform Resource Identifiers (URIs) are often used as unique identifiers for a relying party trust, but you can use any string of characters. | |
| Impersonation AuthorizationRules | Write | String | Specifies the impersonation authorization rules for issuing claims to this relying party. | |
| IssuanceAuthorization Rules | Write | String | Specifies the issuance authorization rules for issuing claims to this relying party. | |
| IssuanceTransformRules | Write | MSFT_AdfsIssuanceTransformRule[] | Specifies the issuance transform rules for issuing claims to this relying party. | |
| MetadataUrl | Write | String | Specifies a URL at which the federation metadata for this relying party trust is available. | |
| MonitoringEnabled | Write | Boolean | Indicates whether periodic monitoring of this relying party federation metadata is enabled. The MetadataUrl parameter specifies the URL of the relying party federation metadata. | |
| NotBeforeSkew | Write | SInt32 | Specifies the skew, as in integer, for the time stamp that marks the beginning of the validity period. | |
| Notes | Write | String | Specifies notes for this relying party trust. | |
| ProtocolProfile | Write | String | Specifies which protocol profiles the relying party supports. | SAML, WsFederation, WsFed-SAML |
| SamlResponse Signature | Write | String | Specifies the response signature or signatures that the relying party expects. | AssertionOnly, MessageAndAssertion, MessageOnly |
| SignatureAlgorithm | Write | String | Specifies the signature algorithm that the relying party uses for signing and verification. | http://www.w3.org/2000/09/xmldsig#rsa-sha1, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 |
| SignedSamlRequests Required | Write | Boolean | Indicates whether the Federation Service requires signed SAML protocol requests from the relying party. If you specify a value of True, the Federation Service rejects unsigned SAML protocol requests. | |
| SigningCertificate RevocationCheck | Write | String | Specifies the type of certificate validation that occur when signatures on requests from the relying party are verified. | None, CheckEndCert, CheckEndCertCacheOnly, CheckChain, CheckChainCacheOnly, CheckChainExcludeRoot, CheckChainExcludeRootCacheOnly |
| TokenLifetime | Write | SInt32 | Specifies the duration, in minutes, for which the claims that are issued to the relying party are valid. | |
| WSFedEndpoint | Write | String | Specifies the WS-Federation Passive URL for this relying party. | |
| AllowedClientTypes | Write | StringArray[] | Specifies allowed client types. | None, Public, Confidential |
| AlwaysRequire Authentication | Write | Boolean | Indicates to always require authentication. | |
| RequestMFAFromClaims Providers | Write | Boolean | Indicates whether to use the request MFA from claims providers option. | |
| Allowed AuthenticationClass References | Write | StringArray[] | Specifies an array of allow authentication class references. | |
| IssueOAuthRefresh TokensTo | Write | String | Specifies the refresh token issuance device types. | NoDevice, WorkplaceJoinedDevices, AllDevices |
| RefreshToken ProtectionEnabled | Write | Boolean | Indicates whether refresh token protection is enabled. | |
| SamlEndpoint | Write | MSFT_AdfsSamlEndpoint[] | Specifies an array of Security Assertion Markup Language (SAML) protocol endpoints for this relying party. | |
| Ensure | Write | String | Specifies whether to remove or add the relying party trust. | Present, Absent |
MSFT_AdfsLdapMapping
Parameters
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| LdapAttribute | Required | String | Specifies the LDAP attribute. | |
| OutgoingClaimType | Required | String | Specifies the outgoing claim type. |
MSFT_AdfsIssuanceTransformRule
Parameters
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| TemplateName | Required | String | Specifies the name of the claim rule template | LdapClaims, EmitGroupClaims, CustomClaims |
| Name | Required | String | Specifies the name of the claim rule | |
| AttributeStore | Write | String | Specifies the attribute store from which to extract LDAP attributes | |
| LdapMapping | Write | MSFT_AdfsLdapMapping[] | Specifies the mapping pairs of LDAP attributes to outgoing claim types | |
| GroupName | Write | String | Specifies the Active Directory group. | |
| OutgoingClaimType | Write | String | Specifies the outgoing claim type. | |
| OutgoingNameIDFormat | Write | String | Specifies the outgoing Name ID format if Name ID is specified as the outgoing claim type. | |
| OutgoingClaimValue | Write | String | Specifies the outgoing claim value. | |
| CustomRule | Write | String | Specifies the custom claim rule |
MSFT_AdfsAccessControlPolicyParameters
Parameters
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| GroupParameter | Write | StringArray[] | Specifies the Group Parameter. |
MSFT_AdfsSamlEndpoint
Parameters
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Binding | Write | String | Specifies the binding type of the endpoint. | Artifact, POST, Redirect, SOAP |
| Index | Write | SInt32 | Specifies the index that is defined for this endpoint. | |
| IsDefault | Write | Boolean | Indicates whether this is a default endpoint for the particular protocol type. | |
| Protocol | Write | String | Specifies the type of service at the endpoint. | SAMLArtifactResolution, SAMLAssertionConsumer, SAMLLogout, SAMLSingleSignOn |
| ResponseUri | Write | String | Specifies the response URI for the endpoint. | |
| Uri | Write | String | Specifies the URI of this endpoint. |
Description
The AdfsRelyingPartyTrust DSC resource manages the relying party trusts of the Federation Service.
Examples
Example 1
This configuration will add a relying party trust named Fabrikam for federation using the federation metadata document published at the specified URL.
Configuration AdfsRelyingPartyTrust_Metadata_Config
{
Import-DscResource -Module AdfsDsc
Node localhost
{
AdfsRelyingPartyTrust OwaInternal
{
Name = 'Fabrikam'
MetadataURL = 'https://fabrikam.com/federationmetadata/2007-06/federationmetadata.xml'
}
}
}
Example 2
This configuration will add a relying party trust with an LDAP Claims issuance transform rule in Active Directory Federation Services (AD FS).
Configuration AdfsRelyingPartyTrust_LdapClaims_IssuanceTransformRules_Config
{
Import-DscResource -Module AdfsDsc
Node localhost
{
AdfsRelyingPartyTrust WebApp1
{
Name = 'WebApp1'
Enabled = $true
Notes = 'This is a trust for https://webapp1.fabrikam.com'
WSFedEndpoint = 'https://webapp1.fabrikam.com'
Identifier = 'https://webapp1.fabrikam.com'
AccessControlPolicyName = 'Permit Everyone'
IssuanceTransformRules = @(
MSFT_AdfsIssuanceTransformRule
{
TemplateName = 'LdapClaims'
Name = 'WebApp1 Ldap Claims'
AttributeStore = 'Active Directory'
LdapMapping = @(
MSFT_AdfsLdapMapping
{
LdapAttribute = 'objectSID'
OutgoingClaimType = 'http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid'
}
MSFT_AdfsLdapMapping
{
LdapAttribute = 'userPrincipalName'
OutgoingClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
}
)
}
)
}
}
}
Example 3
This configuration will add a relying party trust with a Group Claims issuance transform rule in Active Directory Federation Services (AD FS).
Configuration AdfsRelyingPartyTrust_EmitGroupClaims_IssuanceTransformRules_Config
{
Import-DscResource -Module AdfsDsc
Node localhost
{
AdfsRelyingPartyTrust WebApp1
{
Name = 'WebApp1'
Enabled = $true
Notes = 'This is a trust for https://webapp1.fabrikam.com'
WSFedEndpoint = 'https://webapp1.fabrikam.com'
Identifier = 'https://webapp1.fabrikam.com'
AccessControlPolicyName = 'Permit Everyone'
IssuanceTransformRules = @(
MSFT_AdfsIssuanceTransformRule
{
TemplateName = 'EmitGroupClaims'
Name = 'App1 User Role Claim'
GroupName = 'App1 Users'
OutgoingClaimType = 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role'
OutgoingClaimValue = 'User'
}
)
}
}
}
Example 4
This configuration will add a relying party trust with a custom claims issuance transform rule in Active Directory Federation Services (AD FS).
Configuration AdfsRelyingPartyTrust_CustomClaims_IssuanceTransformRules_Config
{
Import-DscResource -Module AdfsDsc
Node localhost
{
AdfsRelyingPartyTrust WebApp1
{
Name = 'WebApp1'
Enabled = $true
Notes = 'This is a trust for https://webapp1.fabrikam.com'
WSFedEndpoint = 'https://webapp1.fabrikam.com'
Identifier = 'https://webapp1.fabrikam.com'
AccessControlPolicyName = 'Permit Everyone'
IssuanceTransformRules = @(
MSFT_AdfsIssuanceTransformRule
{
TemplateName = 'CustomClaims'
Name = 'App1 Custom Claim'
CustomRule = 'TBC'
}
)
}
}
}
Example 5
This configuration will add a relying party trust with access control policy parameters in Active Directory Federation Services (AD FS).
Configuration AdfsRelyingPartyTrust_AccessControlPolicyParameters_Config
{
param()
Import-DscResource -ModuleName AdfsDsc
Node localhost
{
AdfsRelyingPartyTrust WebApp1
{
Name = 'WebApp1'
Enabled = $true
Notes = 'This is a trust for https://webapp1.fabrikam.com'
WSFedEndpoint = 'https://webapp1.fabrikam.com'
Identifier = 'https://webapp1.fabrikam.com'
AccessControlPolicyName = 'Permit specific group'
AccessControlPolicyParameters = MSFT_AdfsAccessControlPolicyParameters
{
GroupParameter = @(
'CONTOSO\AppGroup1 Users'
'CONTOSO\AppGroup1 Admins'
)
}
}
}
}
Example 6
This configuration will add a relying party trust with a SAML Endpoint in Active Directory Federation Services (AD FS).
Configuration AdfsRelyingPartyTrust_SamlEndpoint_Config
{
param()
Import-DscResource -ModuleName AdfsDsc
Node localhost
{
AdfsRelyingPartyTrust WebApp1
{
Name = 'WebApp1'
Enabled = $true
Notes = 'This is a trust for https://webapp1.fabrikam.com'
Identifier = 'https://webapp1.fabrikam.com'
AccessControlPolicyName = 'Permit everyone'
SamlEndpoint = @(
MSFT_AdfsSamlEndpoint
{
Binding = 'POST'
Index = 0
IsDefault = $false
Protocol = 'SAMLAssertionConsumer'
Uri = 'https://webapp1.fabrikam.com'
}
)
}
}
}