Created
April 16, 2018 22:38
-
-
Save peteralcock/fe76c3cf599681bf5df88538085a5df1 to your computer and use it in GitHub Desktop.
build ADFS RelyingParty
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ##################################################################### | |
| # Script: configureAdfs.ps1 | |
| # Descrption: Add and remove a relying party to ADFS with rules | |
| ###################################################################### | |
| function AddRelyingParty | |
| ( | |
| [string]$realm = $(throw "Realm for the application is required. E.g.: http://whatever.com or urn:whatever"), | |
| [string]$webAppEndpoint = $(throw "Endpoint where the token will be POSTed is required") | |
| ) | |
| { | |
| # In ADFS 3.0, management Cmdlets are moved into 'ADFS' module which gets auto-laoded. No more explicit snapin loading required. | |
| # [Fix]: Only attempt snapin loading if ADFS commands are not available | |
| if ( (Get-Command Set-ADFSRelyingPartyTrust -ErrorAction SilentlyContinue) -eq $null) | |
| { | |
| # check if SP snapin exists in the machine | |
| if ( (Get-PSSnapin -Name Microsoft.Adfs.Powershell -Registered -ErrorAction SilentlyContinue) -eq $null ) | |
| { | |
| Write-Error "This PowerShell script requires the Microsoft.Adfs.Powershell Snap-In. Try executing it from an ADFS server" | |
| return; | |
| } | |
| # check if SP snapin is already loaded, if not load it | |
| if ( (Get-PSSnapin -Name Microsoft.Adfs.Powershell -ErrorAction SilentlyContinue) -eq $null ) | |
| { | |
| Write-Verbose "Adding Microsoft.Adfs.Powershell Snapin" | |
| Add-PSSnapin Microsoft.Adfs.Powershell | |
| } | |
| # check if running as Admin | |
| $currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()) | |
| if ($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -eq $false) | |
| { | |
| Write-Error "This PowerShell script requires Administrator privilieges. Try executing by doing right click -> 'Run as Administrator'" | |
| return; | |
| } | |
| } | |
| # remove if exists | |
| $rp = Get-ADFSRelyingPartyTrust -Name $realm | |
| if ($rp) | |
| { | |
| Write-Verbose "Removing Relying Party Trust: $realm" | |
| Remove-ADFSRelyingPartyTrust -TargetName $realm | |
| } | |
| Write-Verbose "Adding Relying Party Trust: $realm" | |
| Write-Verbose "Add-ADFSRelyingPartyTrust -Name $realm -Identifier $realm -WSFedEndpoint $webAppEndpoint" | |
| Add-ADFSRelyingPartyTrust -Name $realm -Identifier $realm -WSFedEndpoint $webAppEndpoint | |
| # get the RP to add Transform and Authz rules. | |
| $rp = Get-ADFSRelyingPartyTrust -Name $realm | |
| # transform Rules | |
| $rules = @' | |
| @RuleName = "Store: ActiveDirectory -> Mail (ldap attribute: mail), Name (ldap attribute: userPrincipalName), GivenName (ldap attribute: givenName), Surname (ldap attribute: sn)" | |
| c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] | |
| => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", | |
| "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", | |
| "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", | |
| "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", | |
| "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"), query = ";mail,displayName,userPrincipalName,givenName,sn;{0}", param = c.Value); | |
| '@ | |
| Write-Verbose "Adding Claim Rules" | |
| Set-ADFSRelyingPartyTrust –TargetName $realm -IssuanceTransformRules $rules | |
| # Authorization Rules | |
| $authRules = '=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");' | |
| Write-Verbose "Adding Issuance Authorization Rules: $authRules" | |
| $rSet = New-ADFSClaimRuleSet –ClaimRule $authRules | |
| Set-ADFSRelyingPartyTrust –TargetName $realm –IssuanceAuthorizationRules $rSet.ClaimRulesString | |
| Remove-PSSnapin Microsoft.Adfs.Powershell -ErrorAction SilentlyContinue | |
| Write-Host "Relying Party Trust '$realm' added succesfully." | |
| } | |
| function RemoveRelyingParty | |
| ( | |
| [string]$realm = $(throw "Realm for the application is required. E.g.: http://whatever.com or urn:whatever") | |
| ) | |
| { | |
| if ( (Get-Command Set-ADFSRelyingPartyTrust -ErrorAction SilentlyContinue) -eq $null) | |
| { | |
| # check if ADFS snapin exists in the machine | |
| if ( (Get-PSSnapin -Name Microsoft.Adfs.Powershell -Registered -ErrorAction SilentlyContinue) -eq $null ) | |
| { | |
| Write-Error "This PowerShell script requires the Microsoft.Adfs.Powershell Snap-In. Try executing it from an ADFS server" | |
| return; | |
| } | |
| # check if ADFSP snapin is already loaded, if not load it | |
| if ( (Get-PSSnapin -Name Microsoft.Adfs.Powershell -ErrorAction SilentlyContinue) -eq $null ) | |
| { | |
| Write-Verbose "Adding Microsoft.Adfs.Powershell Snapin" | |
| Add-PSSnapin Microsoft.Adfs.Powershell | |
| } | |
| # check if running as Admin | |
| $currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()) | |
| if ($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -eq $false) | |
| { | |
| Write-Error "This PowerShell script requires Administrator privilieges. Try executing by doing right click -> 'Run as Administrator'" | |
| return; | |
| } | |
| } | |
| # remove if exists | |
| $rp = Get-ADFSRelyingPartyTrust -Name $realm | |
| if ($rp) | |
| { | |
| Write-Verbose "Removing Relying Party Trust: $realm" | |
| Remove-ADFSRelyingPartyTrust -TargetName $realm | |
| Write-Host "Relying Party Trust '$realm' removed succesfully." | |
| } | |
| Remove-PSSnapin Microsoft.Adfs.Powershell -ErrorAction SilentlyContinue | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment