Add-ADFSRelyingPartyTrust

Add-ADFSRelyingPartyTrust

Adds a new relying party trust to the Federation Service.

Syntax

Add-ADFSRelyingPartyTrust -Identifier <string> -Name <string> [-AutoUpdateEnabled <Boolean>] [-ClaimAccepted <ClaimDescription[]>] [-DelegationAuthorizationRules <string>] [-DelegationAuthorizationRulesFile <string>] [-Enabled <Boolean>] [-EncryptClaims <Boolean>] [-EncryptionCertificate <X509Certificate2>] [-EncryptionCertificateRevocationCheck <string>] [-ImpersonationAuthorizationRules <string>] [-ImpersonationAuthorizationRulesFile <string>] [-IssuanceAuthorizationRules <string>] [-IssuanceAuthorizationRulesFile <string>] [-IssuanceTransformRules <string>] [-IssuanceTransformRulesFile <string>] [-MonitoringEnabled <Boolean>] [-NotBeforeSkew <int>] [-Notes <string>] [-PassThru] [-ProtocolProfile <string>] [-RequestSigningCertificate <X509Certificate2[]>] [-RequiresEncryptedNameID <System.Nullable[bool]>] [-SamlEndpoint <PartnerEndpoint[]>] [-SamlResponseSignature <string>] [-SignatureAlgorithm <string>] [-SignedSamlRequestsRequired <System.Nullable[bool]>] [-SigningCertificateRevocationCheck <string>] [-TokenLifetime <int>] [-WSFedEndpoint <Uri>] [-Confirm] [-WhatIf] [<CommonParameters>]
  • Identifier

  • Name

  • AutoUpdateEnabled

  • ClaimAccepted

  • DelegationAuthorizationRules

  • DelegationAuthorizationRulesFile

  • Enabled

  • EncryptClaims

  • EncryptionCertificate

  • EncryptionCertificateRevocationCheck

  • ImpersonationAuthorizationRules

  • ImpersonationAuthorizationRulesFile

  • IssuanceAuthorizationRules

  • IssuanceAuthorizationRulesFile

  • IssuanceTransformRules

  • IssuanceTransformRulesFile

  • MonitoringEnabled

  • NotBeforeSkew

  • Notes

  • PassThru

  • ProtocolProfile

  • RequestSigningCertificate

  • RequiresEncryptedNameID

  • SamlEndpoint

  • SamlResponseSignature

  • SignatureAlgorithm

  • SignedSamlRequestsRequired

  • SigningCertificateRevocationCheck

  • TokenLifetime

  • WSFedEndpoint

  • Confirm

  • WhatIf

    Add-ADFSRelyingPartyTrust -Name [-AutoUpdateEnabled ] [-DelegationAuthorizationRules ] [-DelegationAuthorizationRulesFile ] [-Enabled ] [-EncryptClaims ] [-EncryptionCertificateRevocationCheck ] [-ImpersonationAuthorizationRules ] [-ImpersonationAuthorizationRulesFile ] [-IssuanceAuthorizationRules ] [-IssuanceAuthorizationRulesFile ] [-IssuanceTransformRules ] [-IssuanceTransformRulesFile ] [-MetadataFile ] [-MonitoringEnabled ] [-NotBeforeSkew ] [-Notes ] [-PassThru] [-ProtocolProfile ] [-RequiresEncryptedNameID <System.Nullable[bool]>] [-SamlResponseSignature ] [-SignatureAlgorithm ] [-SignedSamlRequestsRequired <System.Nullable[bool]>] [-SigningCertificateRevocationCheck ] [-TokenLifetime ] [-Confirm] [-WhatIf] []

  • Name

  • AutoUpdateEnabled

  • DelegationAuthorizationRules

  • DelegationAuthorizationRulesFile

  • Enabled

  • EncryptClaims

  • EncryptionCertificateRevocationCheck

  • ImpersonationAuthorizationRules

  • ImpersonationAuthorizationRulesFile

  • IssuanceAuthorizationRules

  • IssuanceAuthorizationRulesFile

  • IssuanceTransformRules

  • IssuanceTransformRulesFile

  • MetadataFile

  • MonitoringEnabled

  • NotBeforeSkew

  • Notes

  • PassThru

  • ProtocolProfile

  • RequiresEncryptedNameID

  • SamlResponseSignature

  • SignatureAlgorithm

  • SignedSamlRequestsRequired

  • SigningCertificateRevocationCheck

  • TokenLifetime

  • Confirm

  • WhatIf

    Add-ADFSRelyingPartyTrust -Name [-AutoUpdateEnabled ] [-DelegationAuthorizationRules ] [-DelegationAuthorizationRulesFile ] [-Enabled ] [-EncryptClaims ] [-EncryptionCertificateRevocationCheck ] [-ImpersonationAuthorizationRules ] [-ImpersonationAuthorizationRulesFile ] [-IssuanceAuthorizationRules ] [-IssuanceAuthorizationRulesFile ] [-IssuanceTransformRules ] [-IssuanceTransformRulesFile ] [-MetadataUrl ] [-MonitoringEnabled ] [-NotBeforeSkew ] [-Notes ] [-PassThru] [-ProtocolProfile ] [-RequiresEncryptedNameID <System.Nullable[bool]>] [-SamlResponseSignature ] [-SignatureAlgorithm ] [-SignedSamlRequestsRequired <System.Nullable[bool]>] [-SigningCertificateRevocationCheck ] [-TokenLifetime ] [-Confirm] [-WhatIf] []

  • Name

  • AutoUpdateEnabled

  • DelegationAuthorizationRules

  • DelegationAuthorizationRulesFile

  • Enabled

  • EncryptClaims

  • EncryptionCertificateRevocationCheck

  • ImpersonationAuthorizationRules

  • ImpersonationAuthorizationRulesFile

  • IssuanceAuthorizationRules

  • IssuanceAuthorizationRulesFile

  • IssuanceTransformRules

  • IssuanceTransformRulesFile

  • MetadataUrl

  • MonitoringEnabled

  • NotBeforeSkew

  • Notes

  • PassThru

  • ProtocolProfile

  • RequiresEncryptedNameID

  • SamlResponseSignature

  • SignatureAlgorithm

  • SignedSamlRequestsRequired

  • SigningCertificateRevocationCheck

  • TokenLifetime

  • Confirm

  • WhatIf

Detailed Description

The Add-ADFSRelyingPartyTrust cmdlet adds a new relying party trust to the Federation Service. A relying party trust can be specified manually, or a federation metadata document may be provided to bootstrap initial configuration.

Parameters

AutoUpdateEnabled

Specifies whether changes to the federation metadata at the MetadataURL that is being monitored are applied automatically to the configuration of the trust relationship. Partner claims, certificates, and endpoints are updated automatically if this parameter is enabled (true).
Note: When auto-update is enabled, fields that can be overwritten by metadata become read only.

Default Value: **

Data Type: Boolean

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

ClaimAccepted

Specifies the claims that this relying party accepts.

Default Value: **

Data Type: ClaimDescription[]

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

true

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByValue)

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

true

variableLength

DelegationAuthorizationRules

Specifies the delegation authorization rules for issuing claims to this relying party.

Default Value: **

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByPropertyName)

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

DelegationAuthorizationRulesFile

Specifies a file that contains the delegation authorization rules for issuing claims to this relying party.

Default Value: **

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Enabled

Specifies whether the relying party trust is enabled.

Default Value: **

Data Type: Boolean

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

EncryptClaims

Specifies whether the claims that are sent to the relying party should be encrypted.

Default Value: **

Data Type: Boolean

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

EncryptionCertificate

Specifies the certificate to be used for encrypting claims that are issued to this relying party. Encrypting claims is optional.

Default Value: **

Data Type: X509Certificate2

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

EncryptionCertificateRevocationCheck

Specifies the type of validation that should occur for the encryption certificate it is used for encrypting claims to the relying party. Valid values are None, CheckEndCert, CheckEndCertCacheOnly, CheckChain, CheckChainCacheOnly, CheckChainExcludingRoot, and CheckChainExcludingRootCacheOnly.

Default Value: **

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Identifier

Specifies the unique identifiers for this relying party trust. No other trust may use an identifier from this list. Uniform Resource Identifiers (URIs) are often used as unique identifiers for a relying party trust, but any string of characters may be used.

Default Value: **

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

ImpersonationAuthorizationRules

Specifies the impersonation authorization rules for issuing claims to this relying party.

Default Value: **

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByPropertyName)

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

ImpersonationAuthorizationRulesFile

Specifies the file that contains the impersonation authorization rules for issuing claims to this relying party.

Default Value: **

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

IssuanceAuthorizationRules

Specifies the issuance authorization rules for issuing claims to this relying party.

Default Value: **

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByPropertyName)

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

IssuanceAuthorizationRulesFile

Specifies the file containing the issuance authorization rules for issuing claims to this relying party.

Default Value: **

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

IssuanceTransformRules

Specifies the issuance transform rules for issuing claims to this relying party.

Default Value: **

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

IssuanceTransformRulesFile

Specifies the file that contains the issuance transform rules for issuing claims to this relying party.

Default Value: **

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

MetadataFile

Specifies a file path, such as c:\metadata.xml, that contains the federation metadata for this relying party trust.

Default Value: **

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

MetadataUrl

Specifies a URL at which the federation metadata for this relying party trust is available.

Default Value: **

Data Type: Uri

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

MonitoringEnabled

Specifies whether periodic monitoring of this relying party's federation metadata is enabled. The URL of the relying party's federation metadata is specified by the MetadataUrl parameter.

Default Value: **

Data Type: Boolean

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Name

Specifies the friendly name of this relying party trust.

Default Value: **

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

NotBeforeSkew

Specifies the skew for the time stamp that marks the beginning of the validity period. The higher this number is, the further back in time the validity period will begin with respect to the time that the claims are issued for the relying party. By default, this value is 0. Use a number above 0 if validation is failing on the relying party because the validity period has not yet begun.

Default Value: **

Data Type: int

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Notes

Specifies any notes for this relying party trust.

Default Value: **

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

PassThru

Passes an object to the pipeline. By default, this cmdlet does not generate any output.

Default Value: **

Data Type: SwitchParameter

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

ProtocolProfile

This parameter controls which protocol profiles the relying party supports. The protocols can be one of the following: {SAML, WsFederation, WsFed-SAML}. The default is WsFed-SAML, which indicates that both protocols are supported.

Default Value: **

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

RequestSigningCertificate

Specifies the certificate to be used to verify the signature on a request from the relying party.

Default Value: **

Data Type: X509Certificate2[]

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

true

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByValue)

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

true

variableLength

RequiresEncryptedNameID

Specifies whether this relying party requires the NameID claim to be encrypted.

Default Value: **

Data Type: System.Nullable[bool]

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

SamlEndpoint

Specifies the SAML protocol endpoints for this relying party.

Default Value: **

Data Type: PartnerEndpoint[]

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

true

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

true (ByValue)

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

true

variableLength

SamlResponseSignature

Specifies the response signature or signatures that the relying party expects. Valid values are AssertionOnly, MessageAndAssertion, and MessageOnly.

Default Value: **

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

SignatureAlgorithm

Specifies the signature algorithm that the relying party uses for signing and verification. Valid values are:
https://www.w3.org/2000/09/xmldsig\#rsa-sha1
https://www.w3.org/2001/04/xmldsig-more\#rsa-sha256

Default Value: **

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

SignedSamlRequestsRequired

Specifies whether signed SAML protocol requests are required from this relying party. When the value of this parameter is true, unsigned SAML protocol requests will be rejected.

Default Value: **

Data Type: System.Nullable[bool]

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

SigningCertificateRevocationCheck

Specifies the type of certificate validation that should occur when signatures on requests from the relying party are verified. Valid values are None, CheckEndCert, CheckEndCertCacheOnly, CheckChain, CheckChainCacheOnly, CheckChainExcludingRoot, and CheckChainExcludingRootCacheOnly.

Default Value: **

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

TokenLifetime

Specifies the duration in minutes for which the claims that are issued to the relying party are valid.

Default Value: **

Data Type: int

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

WSFedEndpoint

Specifies the WS-Federation Passive URL for this relying party.

Default Value: **

Data Type: Uri

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Confirm

Prompts you for confirmation before executing the command.

Default Value: **

Data Type: SwitchParameter

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

true

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

WhatIf

Describes what would happen if you executed the command without actually executing the command.

Default Value: **

Data Type: SwitchParameter

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

true

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Input Type

None

Return Type

None

Notes

  • A relying party in Active Directory Federation Services (AD FS) 2.0 is an organization in which Web servers that host one or more Web-based applications reside. Tokens that originate from a claims provider can then be presented and ultimately consumed by the Web-based resources that are located in the relying party organization. When AD FS 2.0 is configured in the role of the relying party, it acts as a partner that trusts a claims provider to authenticate users. Therefore, the relying party consumes the claims that are packaged in security tokens that come from users in the claims provider. In other words, a relying party is the organization whose Web servers are protected by the resource-side federation server. The federation server in the relying party uses the security tokens that the claims provider produces to issue tokens to the Web servers that are located in the relying party.

Examples

-------------------------- EXAMPLE 1 --------------------------

Command Prompt: C:\PS>

 
Add-ADFSRelyingPartyTrust -Name 'Fabrikam' -MetadataURL 'https://fabrikam.com/federationmetadata/2007-06/federationmetadata.xml'                        

Description

-----------

Adds a relying party trust named Fabrikam for federation.

See Also

Reference

Get-ADFSRelyingPartyTrust
Remove-ADFSRelyingPartyTrust
Set-ADFSRelyingPartyTrust
Enable-ADFSRelyingPartyTrust
Disable-ADFSRelyingPartyTrust
Update-ADFSRelyingPartyTrust

Other Resources

Online version: