Table of contents
TLS
TOC
Collapse the table of content
Expand the table of content

Set-AdfsClaimsProviderTrust

Brian Lich|Last Updated: 3/8/2017

SYNOPSIS

Sets the properties of a claims provider trust.

SYNTAX

IdentifierObject

Set-AdfsClaimsProviderTrust [-Name <String>] [-Identifier <String>] [-SignatureAlgorithm <String>]
 [-TokenSigningCertificate <X509Certificate2[]>] [-MetadataUrl <Uri>] [-AcceptanceTransformRules <String>]
 [-AcceptanceTransformRulesFile <String>] [-AllowCreate <Boolean>] [-AutoUpdateEnabled <Boolean>]
 [-CustomMFAUri <Uri>] [-SupportsMFA <Boolean>] [-WSFedEndpoint <Uri>]
 [-EncryptionCertificate <X509Certificate2>] [-EncryptionCertificateRevocationCheck <String>]
 [-MonitoringEnabled <Boolean>] [-Notes <String>] [-OrganizationalAccountSuffix <String[]>]
 [-LookupForests <String[]>] [-AlternateLoginID <String>] [-Force] [-ClaimOffered <ClaimDescription[]>]
 [-SamlEndpoint <SamlEndpoint[]>] [-ProtocolProfile <String>] [-RequiredNameIdFormat <Uri>]
 [-EncryptedNameIdRequired <Boolean>] [-SignedSamlRequestsRequired <Boolean>]
 [-SamlAuthenticationRequestIndex <UInt16>] [-SamlAuthenticationRequestParameters <String>]
 [-SamlAuthenticationRequestProtocolBinding <String>] [-SigningCertificateRevocationCheck <String>]
 [-PromptLoginFederation <PromptLoginFederation>] [-PromptLoginFallbackAuthenticationType <String>]
 [-AnchorClaimType <String>] -TargetClaimsProviderTrust <ClaimsProviderTrust> [-PassThru] [-WhatIf] [-Confirm]
 [<CommonParameters>]

TokenSigningCertificates

Set-AdfsClaimsProviderTrust [-Name <String>] [-Identifier <String>] [-SignatureAlgorithm <String>]
 [-TokenSigningCertificate <X509Certificate2[]>] [-MetadataUrl <Uri>] [-AcceptanceTransformRules <String>]
 [-AcceptanceTransformRulesFile <String>] [-AllowCreate <Boolean>] [-AutoUpdateEnabled <Boolean>]
 [-CustomMFAUri <Uri>] [-SupportsMFA <Boolean>] [-WSFedEndpoint <Uri>]
 [-EncryptionCertificate <X509Certificate2>] [-EncryptionCertificateRevocationCheck <String>]
 [-MonitoringEnabled <Boolean>] [-Notes <String>] [-OrganizationalAccountSuffix <String[]>]
 [-LookupForests <String[]>] [-AlternateLoginID <String>] [-Force] [-ClaimOffered <ClaimDescription[]>]
 [-SamlEndpoint <SamlEndpoint[]>] [-ProtocolProfile <String>] [-RequiredNameIdFormat <Uri>]
 [-EncryptedNameIdRequired <Boolean>] [-SignedSamlRequestsRequired <Boolean>]
 [-SamlAuthenticationRequestIndex <UInt16>] [-SamlAuthenticationRequestParameters <String>]
 [-SamlAuthenticationRequestProtocolBinding <String>] [-SigningCertificateRevocationCheck <String>]
 [-PromptLoginFederation <PromptLoginFederation>] [-PromptLoginFallbackAuthenticationType <String>]
 [-AnchorClaimType <String>] -TargetCertificate <X509Certificate2> [-PassThru] [-WhatIf] [-Confirm]
 [<CommonParameters>]

Identifier

Set-AdfsClaimsProviderTrust [-Name <String>] [-Identifier <String>] [-SignatureAlgorithm <String>]
 [-TokenSigningCertificate <X509Certificate2[]>] [-MetadataUrl <Uri>] [-AcceptanceTransformRules <String>]
 [-AcceptanceTransformRulesFile <String>] [-AllowCreate <Boolean>] [-AutoUpdateEnabled <Boolean>]
 [-CustomMFAUri <Uri>] [-SupportsMFA <Boolean>] [-WSFedEndpoint <Uri>]
 [-EncryptionCertificate <X509Certificate2>] [-EncryptionCertificateRevocationCheck <String>]
 [-MonitoringEnabled <Boolean>] [-Notes <String>] [-OrganizationalAccountSuffix <String[]>]
 [-LookupForests <String[]>] [-AlternateLoginID <String>] [-Force] [-ClaimOffered <ClaimDescription[]>]
 [-SamlEndpoint <SamlEndpoint[]>] [-ProtocolProfile <String>] [-RequiredNameIdFormat <Uri>]
 [-EncryptedNameIdRequired <Boolean>] [-SignedSamlRequestsRequired <Boolean>]
 [-SamlAuthenticationRequestIndex <UInt16>] [-SamlAuthenticationRequestParameters <String>]
 [-SamlAuthenticationRequestProtocolBinding <String>] [-SigningCertificateRevocationCheck <String>]
 [-PromptLoginFederation <PromptLoginFederation>] [-PromptLoginFallbackAuthenticationType <String>]
 [-AnchorClaimType <String>] -TargetIdentifier <String> [-PassThru] [-WhatIf] [-Confirm] [<CommonParameters>]

IdentifierName

Set-AdfsClaimsProviderTrust [-Name <String>] [-Identifier <String>] [-SignatureAlgorithm <String>]
 [-TokenSigningCertificate <X509Certificate2[]>] [-MetadataUrl <Uri>] [-AcceptanceTransformRules <String>]
 [-AcceptanceTransformRulesFile <String>] [-AllowCreate <Boolean>] [-AutoUpdateEnabled <Boolean>]
 [-CustomMFAUri <Uri>] [-SupportsMFA <Boolean>] [-WSFedEndpoint <Uri>]
 [-EncryptionCertificate <X509Certificate2>] [-EncryptionCertificateRevocationCheck <String>]
 [-MonitoringEnabled <Boolean>] [-Notes <String>] [-OrganizationalAccountSuffix <String[]>]
 [-LookupForests <String[]>] [-AlternateLoginID <String>] [-Force] [-ClaimOffered <ClaimDescription[]>]
 [-SamlEndpoint <SamlEndpoint[]>] [-ProtocolProfile <String>] [-RequiredNameIdFormat <Uri>]
 [-EncryptedNameIdRequired <Boolean>] [-SignedSamlRequestsRequired <Boolean>]
 [-SamlAuthenticationRequestIndex <UInt16>] [-SamlAuthenticationRequestParameters <String>]
 [-SamlAuthenticationRequestProtocolBinding <String>] [-SigningCertificateRevocationCheck <String>]
 [-PromptLoginFederation <PromptLoginFederation>] [-PromptLoginFallbackAuthenticationType <String>]
 [-AnchorClaimType <String>] -TargetName <String> [-PassThru] [-WhatIf] [-Confirm] [<CommonParameters>]

DESCRIPTION

The Set-AdfsClaimsProviderTrust cmdlet configures the trust relationship with a claims provider.

EXAMPLES

Example 1: Enable auto-update for a claims provider trust

PS C:\> Set-ADFSClaimsProviderTrust -TargetName "Fabrikam claims provider" -AutoUpdateEnabled $False

This command enables auto-update for the claims provider trust named Fabrikam claims provider.

PARAMETERS

-AcceptanceTransformRules

Specifies the claim acceptance transform rules for accepting claims from this claims provider. These rules determine the information that is accepted from the partner represented by the claims provider trust.

Type: String
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-AcceptanceTransformRulesFile

Specifies a file that contains the claim acceptance transform rules for accepting claims from this claims provider.

Type: String
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-AllowCreate

Indicates whether the Security Assertion Markup Language (SAML) parameter AllowCreate is sent in SAML requests to the claims provider. The default value is True.

Type: Boolean
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-AlternateLoginID

Specifies the LDAP name of the attribute that you want to use for login.

Type: String
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-AnchorClaimType

Type: String
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-AutoUpdateEnabled

Indicates whether changes to the federation metadata by the MetadataURL parameter apply automatically to the configuration of the trust relationship. If this parameter has a value of $True, partner claims, certificates, and endpoints are updated automatically.

Note: When auto-update is enabled, fields that can be overwritten by metadata become read only.

Type: Boolean
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ClaimOffered

Specifies an array of claims that are offered by this claims provider.

Type: ClaimDescription[]
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-CustomMFAUri

Type: Uri
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-EncryptedNameIdRequired

Indicates whether the relying party requires that the NameID claim be encrypted. This setting applies to SAML logout requests.

Type: Boolean
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-EncryptionCertificate

Specifies the certificate to be used for encrypting a NameID to this claims provider in SAML logout requests. Encrypting the NameID is optional.

Type: X509Certificate2
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-EncryptionCertificateRevocationCheck

Specifies the type of validation that occurs for the encryption certificate before it is used for encrypting claims. The acceptable values for this parameter are:

  • None
  • CheckEndCert
  • CheckEndCertCacheOnly
  • CheckChain
  • CheckChainCacheOnly
  • CheckChainExcludeRoot
  • CheckChainExcludeRootCacheOnly
Type: String
Parameter Sets: (All)
Aliases: 
Accepted values: CheckChain, CheckChainCacheOnly, CheckChainExcludeRoot, CheckChainExcludeRootCacheOnly, CheckEndCert, CheckEndCertCacheOnly, None

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Force

Forces the command to run without asking for user confirmation.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Identifier

Specifies the unique identifier for this claims provider trust. No other trust can use an identifier from this list. Uniform Resource Identifiers (URIs) are often used as unique identifiers for a claims provider trust, but you can use any string of characters.

Type: String
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-LookupForests

Specifies the forest DNS names that can be used to look up the AlternateLoginID.

Type: String[]
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-MetadataUrl

Specifies the URL at which the federation metadata for this claims provider trust is available.

Type: Uri
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-MonitoringEnabled

Indicates whether periodic monitoring of this claims provider's federation metadata is enabled. The URL of the claims provider's federation metadata is specified by the MetadataUrl parameter.

Type: Boolean
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Name

Specifies the friendly name of this claims provider trust.

Type: String
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Notes

Specifies notes for this claims provider trust.

Type: String
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-OrganizationalAccountSuffix

Specifies a list of organizational account suffixes that an administrator can configure for the claims provider trust for Home Realm Discovery (HRD) scenarios.

Type: String[]
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-PassThru

Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-PromptLoginFallbackAuthenticationType

Type: String
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-PromptLoginFederation

The acceptable values for this parameter are:

  • None. Do not federate prompt=login request and error instead.
  • FallbackToProtocolSpecificParameters. Translate prompt=login to wfresh=0 and Wauth=forms during federation. If wauth is present in the original request, it will be preserved.
  • ForwardPromptAndHintsOverWsFederation. Forward prompt, login_hint, and domain_hint parameters during federation.
Type: PromptLoginFederation
Parameter Sets: (All)
Aliases: 
Accepted values: None, FallbackToProtocolSpecificParameters, ForwardPromptAndHintsOverWsFederation

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ProtocolProfile

Specifies which protocol profiles the claims provider supports. The acceptable values for this parameter are:

  • SAML
  • WsFederation
  • WsFed-SAML

By default, both SAML and WS-Federation protocols are supported.

Type: String
Parameter Sets: (All)
Aliases: 
Accepted values: WsFed-SAML, WSFederation, SAML

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-RequiredNameIdFormat

Specifies the format that is required for NameID claims to be included in SAML requests to the claims provider. By default, no format is required.

Type: Uri
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-SamlAuthenticationRequestIndex

Specifies the value of AssertionConsumerServiceIndex that is placed in SAML authentication requests that are sent to the claims provider.

Type: UInt16
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-SamlAuthenticationRequestParameters

Specifies which of the following parameters to use in SAML authentication requests to the claims provider: AssertionConsumerServiceIndex, AssertitionConsumerServiceUrl, and ProtocolBinding. The acceptable values for this parameter are:

  • None
  • Index
  • Url
  • ProtocolBinding
  • UrlWithProtocolBinding
Type: String
Parameter Sets: (All)
Aliases: 
Accepted values: Index, None, , ProtocolBinding, Url, UrlWithProtocolBinding

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-SamlAuthenticationRequestProtocolBinding

Specifies the value of ProtocolBinding to place in SAML authentication requests to the claims provider. The acceptable values for this parameter are:

  • Artifact
  • POST
  • Redirect
Type: String
Parameter Sets: (All)
Aliases: 
Accepted values: Artifact, , POST, Redirect

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-SamlEndpoint

Specifies an array of SAML protocol endpoints for this claims provider.

Type: SamlEndpoint[]
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False

-SignatureAlgorithm

Specifies the signature algorithm that the claims provider uses for signing and verification. The acceptable values for this parameter are:

Type: String
Parameter Sets: (All)
Aliases: 
Accepted values: http://www.w3.org/2000/09/xmldsig#rsa-sha1, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-SignedSamlRequestsRequired

Indicates whether the Federation Service requires signed SAML protocol requests from the relying party. If you specify a value of $True, the Federation Service rejects unsigned SAML protocol requests.

Type: Boolean
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-SigningCertificateRevocationCheck

Specifies the type of certificate validation that occurs when signatures are verified on responses or assertions from the claims provider. The acceptable values for this parameter are:

  • None
  • CheckEndCert
  • CheckEndCertCacheOnly
  • CheckChain
  • CheckChainCacheOnly
  • CheckChainExcludeRoot
  • CheckChainExcludeRootCacheOnly
Type: String
Parameter Sets: (All)
Aliases: 
Accepted values: CheckChain, CheckChainCacheOnly, CheckChainExcludeRoot, CheckChainExcludeRootCacheOnly, CheckEndCert, CheckEndCertCacheOnly, None

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-SupportsMFA

Type: Boolean
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-TargetCertificate

Specifies the certificate of the claims provider trust that is modified by the cmdlet.

Type: X509Certificate2
Parameter Sets: TokenSigningCertificates
Aliases: 

Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False

-TargetClaimsProviderTrust

Specifies a ClaimsProviderTrust object. The cmdlet modifies the claims provider trust that you specify. To obtain a ClaimsProviderTrust object, use the Get-AdfsClaimsProviderTrust cmdlet.

Type: ClaimsProviderTrust
Parameter Sets: IdentifierObject
Aliases: 

Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False

-TargetIdentifier

Specifies the identifier of the claims provider trust that is modified by the cmdlet.

Type: String
Parameter Sets: Identifier
Aliases: 

Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False

-TargetName

Specifies the friendly name of the claims provider trust that is modified by the cmdlet.

Type: String
Parameter Sets: IdentifierName
Aliases: 

Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False

-TokenSigningCertificate

Specifies an array of token-signing certificates that the claims provider use.

Type: X509Certificate2[]
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-WSFedEndpoint

Specifies the WS-Federation Passive URL for this claims provider.

Type: Uri
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

Microsoft.IdentityServer.PowerShell.Resources.ClaimsProviderTrust

A class structure that represents a claims provider trust.

OUTPUTS

None

NOTES

  • The claims provider collects and authenticates a user's credentials, builds up claims for that user, and packages the claims into security tokens or Information Cards. In other words, a claims provider represents the organization for whose users the claims provider issues security tokens or Information Cards on their behalf. When you configure Active Directory Federation Services (AD FS) 2.0, the role of the claims provider is to enable its users to access resources that are hosted in a relying party organization by establishing one side of a federation trust relationship. After the trust is established, tokens and Information Cards can be presented to a relying party across the federation trust.

Disable-AdfsClaimsProviderTrust

Enable-AdfsClaimsProviderTrust

Get-AdfsClaimsProviderTrust

Remove-AdfsClaimsProviderTrust

Update-AdfsClaimsProviderTrust

© 2017 Microsoft