This repository has been archived by the owner on Jun 10, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 10
/
adfs.ps1
123 lines (103 loc) · 5.26 KB
/
adfs.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
#####################################################################
# Script: configureAdfs.ps1
# Descrption: Add and remove a relying party to ADFS with rules
######################################################################
function AddRelyingParty
(
[string]$realm = $(throw "Realm for the application is required. E.g.: http://whatever.com or urn:whatever"),
[string]$webAppEndpoint = $(throw "Endpoint where the token will be POSTed is required")
)
{
# In ADFS 3.0, management Cmdlets are moved into 'ADFS' module which gets auto-laoded. No more explicit snapin loading required.
# [Fix]: Only attempt snapin loading if ADFS commands are not available
if ( (Get-Command Set-ADFSRelyingPartyTrust -ErrorAction SilentlyContinue) -eq $null)
{
# check if SP snapin exists in the machine
if ( (Get-PSSnapin -Name Microsoft.Adfs.Powershell -Registered -ErrorAction SilentlyContinue) -eq $null )
{
Write-Error "This PowerShell script requires the Microsoft.Adfs.Powershell Snap-In. Try executing it from an ADFS server"
return;
}
# check if SP snapin is already loaded, if not load it
if ( (Get-PSSnapin -Name Microsoft.Adfs.Powershell -ErrorAction SilentlyContinue) -eq $null )
{
Write-Verbose "Adding Microsoft.Adfs.Powershell Snapin"
Add-PSSnapin Microsoft.Adfs.Powershell
}
# check if running as Admin
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
if ($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -eq $false)
{
Write-Error "This PowerShell script requires Administrator privilieges. Try executing by doing right click -> 'Run as Administrator'"
return;
}
}
# remove if exists
$rp = Get-ADFSRelyingPartyTrust -Name $realm
if ($rp)
{
Write-Verbose "Removing Relying Party Trust: $realm"
Remove-ADFSRelyingPartyTrust -TargetName $realm
}
Write-Verbose "Adding Relying Party Trust: $realm"
Write-Verbose "Add-ADFSRelyingPartyTrust -Name $realm -Identifier $realm -WSFedEndpoint $webAppEndpoint"
Add-ADFSRelyingPartyTrust -Name $realm -Identifier $realm -WSFedEndpoint $webAppEndpoint
# get the RP to add Transform and Authz rules.
$rp = Get-ADFSRelyingPartyTrust -Name $realm
# transform Rules
$rules = @'
@RuleName = "Store: ActiveDirectory -> Mail (ldap attribute: mail), Name (ldap attribute: userPrincipalName), GivenName (ldap attribute: givenName), Surname (ldap attribute: sn)"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"), query = ";mail,displayName,userPrincipalName,givenName,sn;{0}", param = c.Value);
'@
Write-Verbose "Adding Claim Rules"
Set-ADFSRelyingPartyTrust –TargetName $realm -IssuanceTransformRules $rules
# Authorization Rules
$authRules = '=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");'
Write-Verbose "Adding Issuance Authorization Rules: $authRules"
$rSet = New-ADFSClaimRuleSet –ClaimRule $authRules
Set-ADFSRelyingPartyTrust –TargetName $realm –IssuanceAuthorizationRules $rSet.ClaimRulesString
Remove-PSSnapin Microsoft.Adfs.Powershell -ErrorAction SilentlyContinue
Write-Host "Relying Party Trust '$realm' added succesfully."
}
function RemoveRelyingParty
(
[string]$realm = $(throw "Realm for the application is required. E.g.: http://whatever.com or urn:whatever")
)
{
if ( (Get-Command Set-ADFSRelyingPartyTrust -ErrorAction SilentlyContinue) -eq $null)
{
# check if ADFS snapin exists in the machine
if ( (Get-PSSnapin -Name Microsoft.Adfs.Powershell -Registered -ErrorAction SilentlyContinue) -eq $null )
{
Write-Error "This PowerShell script requires the Microsoft.Adfs.Powershell Snap-In. Try executing it from an ADFS server"
return;
}
# check if ADFSP snapin is already loaded, if not load it
if ( (Get-PSSnapin -Name Microsoft.Adfs.Powershell -ErrorAction SilentlyContinue) -eq $null )
{
Write-Verbose "Adding Microsoft.Adfs.Powershell Snapin"
Add-PSSnapin Microsoft.Adfs.Powershell
}
# check if running as Admin
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
if ($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -eq $false)
{
Write-Error "This PowerShell script requires Administrator privilieges. Try executing by doing right click -> 'Run as Administrator'"
return;
}
}
# remove if exists
$rp = Get-ADFSRelyingPartyTrust -Name $realm
if ($rp)
{
Write-Verbose "Removing Relying Party Trust: $realm"
Remove-ADFSRelyingPartyTrust -TargetName $realm
Write-Host "Relying Party Trust '$realm' removed succesfully."
}
Remove-PSSnapin Microsoft.Adfs.Powershell -ErrorAction SilentlyContinue
}