Export (0) Print
Expand All

Add-ADFSClaimsProviderTrust

Add-ADFSClaimsProviderTrust

Adds a new claims provider trust to the Federation Service.

Syntax

Add-ADFSClaimsProviderTrust -Identifier <string> -Name <string> -TokenSigningCertificate <X509Certificate2[]> [-AcceptanceTransformRules <string>] [-AcceptanceTransformRulesFile <string>] [-AllowCreate <Boolean>] [-AutoUpdateEnabled <Boolean>] [-ClaimOffered <ClaimDescription[]>] [-Enabled <Boolean>] [-EncryptionCertificate <X509Certificate2>] [-EncryptionCertificateRevocationCheck <string>] [-MetadataUrl <Uri>] [-MonitoringEnabled <Boolean>] [-Notes <string>] [-PassThru] [-ProtocolProfile <string>] [-RequiredNameIdFormat <Uri>] [-RequiresEncryptedNameID <System.Nullable[bool]>] [-SamlAuthenticationRequestIndex <int>] [-SamlAuthenticationRequestParameters <string>] [-SamlAuthenticationRequestProtocolBinding <string>] [-SamlEndpoint <SamlEndpoint[]>] [-SignatureAlgorithm <string>] [-SignedSamlRequestsRequired <System.Nullable[bool]>] [-SigningCertRevocationCheck <string>] [-WSFedEndpoint <Uri>] [-Confirm] [-WhatIf] [<CommonParameters>]
  • Identifier

  • Name

  • TokenSigningCertificate

  • AcceptanceTransformRules

  • AcceptanceTransformRulesFile

  • AllowCreate

  • AutoUpdateEnabled

  • ClaimOffered

  • Enabled

  • EncryptionCertificate

  • EncryptionCertificateRevocationCheck

  • MetadataUrl

  • MonitoringEnabled

  • Notes

  • PassThru

  • ProtocolProfile

  • RequiredNameIdFormat

  • RequiresEncryptedNameID

  • SamlAuthenticationRequestIndex

  • SamlAuthenticationRequestParameters

  • SamlAuthenticationRequestProtocolBinding

  • SamlEndpoint

  • SignatureAlgorithm

  • SignedSamlRequestsRequired

  • SigningCertRevocationCheck

  • WSFedEndpoint

  • Confirm

  • WhatIf

Add-ADFSClaimsProviderTrust -Name <string> [-AcceptanceTransformRules <string>] [-AcceptanceTransformRulesFile <string>] [-AllowCreate <Boolean>] [-AutoUpdateEnabled <Boolean>] [-Enabled <Boolean>] [-EncryptionCertificateRevocationCheck <string>] [-MetadataFile <string>] [-MetadataUrl <Uri>] [-MonitoringEnabled <Boolean>] [-Notes <string>] [-PassThru] [-ProtocolProfile <string>] [-RequiredNameIdFormat <Uri>] [-RequiresEncryptedNameID <System.Nullable[bool]>] [-SamlAuthenticationRequestIndex <int>] [-SamlAuthenticationRequestParameters <string>] [-SamlAuthenticationRequestProtocolBinding <string>] [-SignatureAlgorithm <string>] [-SignedSamlRequestsRequired <System.Nullable[bool]>] [-SigningCertRevocationCheck <string>] [-Confirm] [-WhatIf] [<CommonParameters>]
  • Name

  • AcceptanceTransformRules

  • AcceptanceTransformRulesFile

  • AllowCreate

  • AutoUpdateEnabled

  • Enabled

  • EncryptionCertificateRevocationCheck

  • MetadataFile

  • MetadataUrl

  • MonitoringEnabled

  • Notes

  • PassThru

  • ProtocolProfile

  • RequiredNameIdFormat

  • RequiresEncryptedNameID

  • SamlAuthenticationRequestIndex

  • SamlAuthenticationRequestParameters

  • SamlAuthenticationRequestProtocolBinding

  • SignatureAlgorithm

  • SignedSamlRequestsRequired

  • SigningCertRevocationCheck

  • Confirm

  • WhatIf

Detailed Description

The Add-ADFSClaimsProviderTrust cmdlet adds a new claims provider trust to the Federation Service. A claims provider trust can be specified manually, or a federation metadata document may be provided to bootstrap initial configuration.

Parameters

AcceptanceTransformRules

Specifies the claim acceptance transform rules for accepting claims from this claims provider.

Default Value:

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

AcceptanceTransformRulesFile

Specifies a file containing the claim acceptance transform rules for accepting claims from this claims provider.

Default Value:

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

AllowCreate

Specifies whether the SAML parameter AllowCreate should be sent in SAML requests to the claims provider. By default, this parameter is true.

Default Value:

Data Type: Boolean

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

AutoUpdateEnabled

Specifies whether changes to the federation metadata at the MetadataURL that is being monitored are applied automatically to the configuration of the trust relationship. Partner claims, certificates, and endpoints are updated automatically if this parameter is enabled (true).
Note: When auto-update is enabled, fields that can be overwritten by metadata become read only.

Default Value:

Data Type: Boolean

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

ClaimOffered

Specifies the claims that are offered by this claims provider.

Default Value:

Data Type: ClaimDescription[]

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

true

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByValue)

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

true

variableLength

Enabled

Specifies whether the claims provider trust is enabled or disabled.

Default Value:

Data Type: Boolean

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

EncryptionCertificate

Specifies the certificate to be used for encrypting a NameID to this claims provider in SAML logout requests. Encrypting the NameID is optional.

Default Value:

Data Type: X509Certificate2

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

EncryptionCertificateRevocationCheck

Name Value

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

Identifier

Specifies the unique identifier for this claims provider trust. No other trust may use an identifier from this list. Uniform Resource Identifiers (URIs) are often used as unique identifiers for a claims provider trust, but any string of characters may be used.

Default Value:

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

MetadataFile

Specifies a file path, such as c:\metadata.xml, that contains the federation metadata to be used when this claims provider trust is created.

Default Value:

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

MetadataUrl

Specifies a URL at which the federation metadata for this claims provider trust is available.

Default Value:

Data Type: Uri

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

MonitoringEnabled

Specifies whether periodic monitoring of this claims provider's federation metadata is enabled. The URL of the claims provider's federation metadata is specified by the MetadataUrl parameter.

Default Value:

Data Type: Boolean

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Name

Specifies the friendly name of this claims provider trust.

Default Value:

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Notes

Specifies any notes for this claims provider trust.

Default Value:

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

PassThru

Passes an object to the pipeline. By default, this cmdlet does not generate any output.

Default Value:

Data Type: SwitchParameter

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

ProtocolProfile

This parameter controls which protocol profiles the claims provider supports. The protocols can be one of the following: {SAML, WsFederation, WsFed-SAML}. The default is WsFed-SAML, which indicates that both protocols are supported.

Default Value:

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

RequiredNameIdFormat

Specifies the format that is required for NameID claims to be included in SAML requests to the claims provider. By default, no format is required.

Default Value:

Data Type: Uri

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

RequiresEncryptedNameID

Specifies whether this claims provider requires the NameID claim to be encrypted in SAML logout requests.

Default Value:

Data Type: System.Nullable[bool]

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

SamlAuthenticationRequestIndex

Specifies the value of AssertionConsumerServiceIndex that will be placed in SAML authentication requests that are sent to the claims provider.

Default Value:

Data Type: int

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

SamlAuthenticationRequestParameters

Specifies which of the parameters (AssertionConsumerServiceIndex, AssertitionConsumerServiceUrl, ProtocolBinding) will be used in SAML authentication requests to the claims provider. Specify a value from the set: {None, Index, Url, ProtocolBinding, UrlWithProtocolBinding}

Default Value:

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

SamlAuthenticationRequestProtocolBinding

Specifies the value of ProtocolBinding that will be placed in SAML authentication requests to the claims provider. Use values from the set: {Artifact, Post, Redirect}

Default Value:

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

SamlEndpoint

Specifies the SAML protocol endpoints for this claims provider.

Default Value:

Data Type: SamlEndpoint[]

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

true

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByValue)

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

true

variableLength

SignatureAlgorithm

Specifies the signature algorithm that the claims provider uses for signing and verification. Valid values are:
http://www.w3.org/2000/09/xmldsig#rsa-sha1
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

Default Value:

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

SignedSamlRequestsRequired

Specifies whether signed SAML protocol requests are required for this claims provider. When the value of this parameter is true, all SAML protocol requests to this claims provider will be signed.

Default Value:

Data Type: System.Nullable[bool]

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

SigningCertRevocationCheck

Specifies the type of validation that should occur for the signing certificate when signatures are processed. Valid values are None, CheckEndCert, CheckEndCertCacheOnly, CheckChain, CheckChainCacheOnly, CheckChainExcludingRoot, and CheckChainExcludingRootCacheOnly.

Default Value:

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

TokenSigningCertificate

Specifies the token-signing certificates to be used by the claims provider.

Default Value:

Data Type: X509Certificate2[]

Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

true

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByValue)

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

true

variableLength

WSFedEndpoint

Specifies the WS-Federation Passive URL for this claims provider.

Default Value:

Data Type: Uri

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Confirm

Prompts you for confirmation before executing the command.

Default Value:

Data Type: SwitchParameter

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

true

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

WhatIf

Describes what would happen if you executed the command without actually executing the command.

Default Value:

Data Type: SwitchParameter

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

true

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Input Type

None

Return Type

None


The claims provider is responsible for collecting and authenticating a user's credentials, building up claims for that user, and packaging the claims into security tokens. In other words, a claims provider represents the organization for whose users the claims provider issues security tokens on their behalf. When you configure AD FS 2.0 to use federation services, the role of the claims provider is to enable its users to access resources that a relying party organization hosts by establishing one side of a federation trust relationship. After the trust is established, tokens can be presented to the relying party across the federation trust.

Notes


  • The claims provider is responsible for collecting and authenticating a user's credentials, building up claims for that user, and packaging the claims into security tokens. In other words, a claims provider represents the organization for whose users the claims provider issues security tokens on their behalf. When you configure AD FS 2.0 to use federation services, the role of the claims provider is to enable its users to access resources that a relying party organization hosts by establishing one side of a federation trust relationship. After the trust is established, tokens can be presented to the relying party across the federation trust.


Examples

-------------------------- EXAMPLE 1 --------------------------

Command Prompt: C:\PS>
 
Add-ADFSClaimProviderTrust -Name 'Fabrikam' -MetadataURL 'https://fabrikam.com/federationmetadata/2007-06/federationmetadata.xml'                        

Description

-----------

Adds a claims provider trust named Fabrikam for federation.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft