SPTrustedSecurityTokenIssuer - dsccommunity/SharePointDsc GitHub Wiki
Parameters
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Name | Key | String | Name of the SPTrustedSecurityTokenIssuer | |
| Description | Write | String | Description of the SPTrustedSecurityTokenIssuer | |
| Ensure | Write | String | Present if the SPTrustedSecurityTokenIssuer should be created, or Absent if it should be removed | Present, Absent |
| IsTrustBroker | Write | Boolean | Specifies whether the trust is established with a self-issuer partner app | |
| MetadataEndPoint | Write | String | URL that SharePoint will reach to download the JSON metadata file of the issuer | |
| RegisteredIssuerNameIdentifier | Write | String | The security principal identifier of the security token issuer | |
| RegisteredIssuerNameRealm | Write | String | The realm of the security token issuer | |
| SigningCertificateFilePath | Write | String | Specify the file path to the signing certificate if it is not stored in the local certificate store already | |
| SigningCertificateThumbprint | Write | String | Specify the thumbprint of the signing certificate, which must be located in certificate store LocalMachine\My |
Description
Type: Distributed Requires CredSSP: No
This resource is used to create or remove a SPTrustedSecurityTokenIssuer in a SharePoint farm.
It requires to specify either a MetadataEndPoint or a certificate.
The certificate can be specified by setting either parameter SigningCertificateThumbPrint or SigningCertificateFilePath. If specifying both SigningCertificateThumbPrint and SigningCertificateFilePath, the certificate thumbprint from the file will be verified with the specified SigningCertificateThumbPrint. If the thumbprints doesn't match an exception will be thrown when configuring the resource.
The SigningCertificateThumbPrint must be the thumbprint of the signing certificate stored in the certificate store LocalMachine\My of the server. If SigningCertificateFilePath is also specified it must be the same thumbrint as the certificate file.
The SigningCertificateFilePath must be the file path to the public key of the signing certificate.
Properties RegisteredIssuerNameIdentifier and RegisteredIssuerNameRealm compose the RegisteredIssuerName. If RegisteredIssuerNameRealm is ommitted, it will be set with the realm of the farm.
The default value for the Ensure parameter is Present. When not specifying this parameter, the token issuer is created.
Examples
Example 1
This example creates a trusted security token issuer using a signing certificate in a file path, and the SPAuthenticationRealm of the SharePoint farm.
Configuration Example
{
param
(
[Parameter(Mandatory = $true)]
[PSCredential]
$SetupAccount
)
Import-DscResource -ModuleName SharePointDsc
node localhost
{
SPTrustedSecurityTokenIssuer HighTrustAddinsTrust
{
Name = "HighTrustAddins"
Description = "Trust for Provider-hosted high-trust add-ins"
RegisteredIssuerNameIdentifier = "22222222-2222-2222-2222-222222222222"
IsTrustBroker = $true
SigningCertificateFilePath = "F:\Data\DSC\FakeSigning.cer"
Ensure = "Present"
PsDscRunAsCredential = $SetupAccount
}
}
}
Example 2
This example creates a trusted security token issuer using a signing certificate retrieved from its thumbprint, and the SPAuthenticationRealm of the SharePoint farm.
Configuration Example
{
param
(
[Parameter(Mandatory = $true)]
[PSCredential]
$SetupAccount
)
Import-DscResource -ModuleName SharePointDsc
node localhost
{
SPTrustedSecurityTokenIssuer HighTrustAddinsTrust
{
Name = "HighTrustAddins"
Description = "Trust for Provider-hosted high-trust add-ins"
RegisteredIssuerNameIdentifier = "22222222-2222-2222-2222-222222222222"
IsTrustBroker = $true
SigningCertificateThumbprint = "123ABCFACE123ABCFACE123ABCFACE123ABCFACE"
Ensure = "Present"
PsDscRunAsCredential = $SetupAccount
}
}
}
Example 3
This example creates a trusted security token issuer that will be configured using the metadata file of the ACS tenant.
Configuration Example
{
param
(
[Parameter(Mandatory = $true)]
[PSCredential]
$SetupAccount
)
Import-DscResource -ModuleName SharePointDsc
node localhost
{
SPTrustedSecurityTokenIssuer HighTrustAddinsTrust
{
Name = "ACS Trust"
Description = "Trust with ACS tenant TENANT.onmicrosoft.com"
MetadataEndPoint = "https://accounts.accesscontrol.windows.net/TENANT.onmicrosoft.com/metadata/json/1"
IsTrustBroker = $true
Ensure = "Present"
PsDscRunAsCredential = $SetupAccount
}
}
}