Add-ADFSClaimsProviderTrust
Add-ADFSClaimsProviderTrust
Adds a new claims provider trust to the Federation Service.
Syntax
Parameter Set: AllProperties
Add-ADFSClaimsProviderTrust -Identifier <String> -Name <String> -TokenSigningCertificate <X509Certificate2[]> [-AcceptanceTransformRules <String> ] [-AcceptanceTransformRulesFile <String> ] [-AllowCreate <Boolean> ] [-AutoUpdateEnabled <Boolean> ] [-ClaimOffered <ClaimDescription[]> ] [-Enabled <Boolean> ] [-EncryptedNameIdRequired <Boolean> ] [-EncryptionCertificate <X509Certificate2> ] [-EncryptionCertificateRevocationCheck <String> ] [-MonitoringEnabled <Boolean> ] [-Notes <String> ] [-PassThru] [-ProtocolProfile <String> ] [-RequiredNameIdFormat <Uri> ] [-SamlAuthenticationRequestIndex <UInt16> ] [-SamlAuthenticationRequestParameters <String> ] [-SamlAuthenticationRequestProtocolBinding <String> ] [-SamlEndpoint <SamlEndpoint[]> ] [-SignatureAlgorithm <String> ] [-SignedSamlRequestsRequired <Boolean> ] [-SigningCertificateRevocationCheck <String> ] [-WSFedEndpoint <Uri> ] [-Confirm] [-WhatIf] [ <CommonParameters>]
Parameter Set: MetadataFile
Add-ADFSClaimsProviderTrust -Name <String> [-AcceptanceTransformRules <String> ] [-AcceptanceTransformRulesFile <String> ] [-AllowCreate <Boolean> ] [-AutoUpdateEnabled <Boolean> ] [-Enabled <Boolean> ] [-EncryptedNameIdRequired <Boolean> ] [-EncryptionCertificateRevocationCheck <String> ] [-MetadataFile <String> ] [-MonitoringEnabled <Boolean> ] [-Notes <String> ] [-PassThru] [-ProtocolProfile <String> ] [-RequiredNameIdFormat <Uri> ] [-SamlAuthenticationRequestIndex <UInt16> ] [-SamlAuthenticationRequestParameters <String> ] [-SamlAuthenticationRequestProtocolBinding <String> ] [-SignatureAlgorithm <String> ] [-SignedSamlRequestsRequired <Boolean> ] [-SigningCertificateRevocationCheck <String> ] [-Confirm] [-WhatIf] [ <CommonParameters>]
Parameter Set: MetadataUrl
Add-ADFSClaimsProviderTrust -Name <String> [-AcceptanceTransformRules <String> ] [-AcceptanceTransformRulesFile <String> ] [-AllowCreate <Boolean> ] [-AutoUpdateEnabled <Boolean> ] [-Enabled <Boolean> ] [-EncryptedNameIdRequired <Boolean> ] [-EncryptionCertificateRevocationCheck <String> ] [-MetadataUrl <Uri> ] [-MonitoringEnabled <Boolean> ] [-Notes <String> ] [-PassThru] [-ProtocolProfile <String> ] [-RequiredNameIdFormat <Uri> ] [-SamlAuthenticationRequestIndex <UInt16> ] [-SamlAuthenticationRequestParameters <String> ] [-SamlAuthenticationRequestProtocolBinding <String> ] [-SignatureAlgorithm <String> ] [-SignedSamlRequestsRequired <Boolean> ] [-SigningCertificateRevocationCheck <String> ] [-Confirm] [-WhatIf] [ <CommonParameters>]
Detailed Description
The Add-ADFSClaimsProviderTrust cmdlet adds a new claims provider trust to the Federation Service. A claims provider trust can be specified manually, or a federation metadata document may be provided to bootstrap initial configuration.
Parameters
-AcceptanceTransformRules<String>
Specifies the claim acceptance transform rules for accepting claims from this claims provider.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByPropertyName) |
Accept Wildcard Characters? |
false |
-AcceptanceTransformRulesFile<String>
Specifies a file containing the claim acceptance transform rules for accepting claims from this claims provider.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-AllowCreate<Boolean>
Specifies whether the SAML parameter AllowCreate should be sent in SAML requests to the claims provider. By default, this parameter is true.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-AutoUpdateEnabled<Boolean>
Specifies whether changes to the federation metadata at the MetadataURL that is being monitored are applied automatically to the configuration of the trust relationship. Partner claims, certificates, and endpoints are updated automatically if this parameter is enabled (true).
Note: When auto-update is enabled, fields that can be overwritten by metadata become read only.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-ClaimOffered<ClaimDescription[]>
Specifies the claims that are offered by this claims provider.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByValue) |
Accept Wildcard Characters? |
false |
-Enabled<Boolean>
Specifies whether the claims provider trust is enabled or disabled.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-EncryptedNameIdRequired<Boolean>
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-EncryptionCertificate<X509Certificate2>
Specifies the certificate to be used for encrypting a NameID to this claims provider in SAML logout requests. Encrypting the NameID is optional.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-EncryptionCertificateRevocationCheck<String>
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-Identifier<String>
Specifies the unique identifier for this claims provider trust. No other trust may use an identifier from this list. Uniform Resource Identifiers (URIs) are often used as unique identifiers for a claims provider trust, but any string of characters may be used.
Aliases |
none |
Required? |
true |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-MetadataFile<String>
Specifies a file path, such as c:\metadata.xml, that contains the federation metadata to be used when this claims provider trust is created.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-MetadataUrl<Uri>
Specifies a URL at which the federation metadata for this claims provider trust is available.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-MonitoringEnabled<Boolean>
Specifies whether periodic monitoring of this claims provider's federation metadata is enabled. The URL of the claims provider's federation metadata is specified by the MetadataUrl parameter.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-Name<String>
Specifies the friendly name of this claims provider trust.
Aliases |
none |
Required? |
true |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-Notes<String>
Specifies any notes for this claims provider trust.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-PassThru
Passes an object to the pipeline. By default, this cmdlet does not generate any output.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-ProtocolProfile<String>
This parameter controls which protocol profiles the claims provider supports. The protocols can be one of the following: {SAML, WsFederation, WsFed-SAML}. By default, this parameter is WsFed-SAML.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-RequiredNameIdFormat<Uri>
Specifies the format that is required for NameID claims to be included in SAML requests to the claims provider. By default, no format is required.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-SamlAuthenticationRequestIndex<UInt16>
Specifies the value of AssertionConsumerServiceIndex that will be placed in SAML authentication requests that are sent to the claims provider.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-SamlAuthenticationRequestParameters<String>
Specifies which of the parameters (AssertionConsumerServiceIndex, AssertitionConsumerServiceUrl, ProtocolBinding) will be used in SAML authentication requests to the claims provider. Specify a value from the set: {None, Index, Url, ProtocolBinding, UrlWithProtocolBinding}
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-SamlAuthenticationRequestProtocolBinding<String>
Specifies the value of ProtocolBinding that will be placed in SAML authentication requests to the claims provider. Use values from the set: {Artifact, Post, Redirect}
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-SamlEndpoint<SamlEndpoint[]>
Specifies the SAML protocol endpoints for this claims provider.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByValue) |
Accept Wildcard Characters? |
false |
-SignatureAlgorithm<String>
Specifies the signature algorithm that the claims provider uses for signing and verification. Valid values are:
http://www.w3.org/2000/09/xmldsig\#rsa-sha1
http://www.w3.org/2001/04/xmldsig-more\#rsa-sha256
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-SignedSamlRequestsRequired<Boolean>
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-SigningCertificateRevocationCheck<String>
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-TokenSigningCertificate<X509Certificate2[]>
Specifies the token-signing certificates to be used by the claims provider.
Aliases |
none |
Required? |
true |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByValue) |
Accept Wildcard Characters? |
false |
-WSFedEndpoint<Uri>
Specifies the WS-Federation Passive URL for this claims provider.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-Confirm
Prompts you for confirmation before running the cmdlet.
Required? |
false |
Position? |
named |
Default Value |
false |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Required? |
false |
Position? |
named |
Default Value |
false |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
<CommonParameters>
This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/p/?LinkID=113216).
Inputs
The input type is the type of the objects that you can pipe to the cmdlet.
- None
Outputs
The output type is the type of the objects that the cmdlet emits.
None
The claims provider is responsible for collecting and authenticating a user's credentials, building up claims for that user, and packaging the claims into security tokens or Information Cards. In other words, a claims provider represents the organization for whose users the claims provider issues security tokens or Information Cards on their behalf. When you configure AD FS 2.0 to use federation services, the role of the claims provider is to enable its users to access resources that a relying party organization hosts by establishing one side of a federation trust relationship. After the trust is established, tokens and Information Cards can be presented to the relying party across the federation trust.
Notes
- The claims provider is responsible for collecting and authenticating a user's credentials, building up claims for that user, and packaging the claims into security tokens or Information Cards. In other words, a claims provider represents the organization for whose users the claims provider issues security tokens or Information Cards on their behalf. When you configure AD FS 2.0 to use federation services, the role of the claims provider is to enable its users to access resources that a relying party organization hosts by establishing one side of a federation trust relationship. After the trust is established, tokens and Information Cards can be presented to the relying party across the federation trust.
Examples
-------------------------- EXAMPLE 1 --------------------------
Description
-----------
Adds a claims provider trust named Fabrikam for federation.
C:\PS>Add-ADFSClaimProviderTrust -Name 'Fabrikam' -MetadataURL 'https://fabrikam.com/federationmetadata/2007-06/federationmetadata.xml'
Related topics
Disable-ADFSClaimsProviderTrust
Enable-ADFSClaimsProviderTrust