Add-ADFSClaimsProviderTrust

  • Article

Add-ADFSClaimsProviderTrust

Adds a new claims provider trust to the Federation Service.

Syntax

Parameter Set: AllProperties
Add-ADFSClaimsProviderTrust -Identifier <String> -Name <String> -TokenSigningCertificate <X509Certificate2[]> [-AcceptanceTransformRules <String> ] [-AcceptanceTransformRulesFile <String> ] [-AllowCreate <Boolean> ] [-AutoUpdateEnabled <Boolean> ] [-ClaimOffered <ClaimDescription[]> ] [-Enabled <Boolean> ] [-EncryptedNameIdRequired <Boolean> ] [-EncryptionCertificate <X509Certificate2> ] [-EncryptionCertificateRevocationCheck <String> ] [-MonitoringEnabled <Boolean> ] [-Notes <String> ] [-PassThru] [-ProtocolProfile <String> ] [-RequiredNameIdFormat <Uri> ] [-SamlAuthenticationRequestIndex <UInt16> ] [-SamlAuthenticationRequestParameters <String> ] [-SamlAuthenticationRequestProtocolBinding <String> ] [-SamlEndpoint <SamlEndpoint[]> ] [-SignatureAlgorithm <String> ] [-SignedSamlRequestsRequired <Boolean> ] [-SigningCertificateRevocationCheck <String> ] [-WSFedEndpoint <Uri> ] [-Confirm] [-WhatIf] [ <CommonParameters>]

Parameter Set: MetadataFile
Add-ADFSClaimsProviderTrust -Name <String> [-AcceptanceTransformRules <String> ] [-AcceptanceTransformRulesFile <String> ] [-AllowCreate <Boolean> ] [-AutoUpdateEnabled <Boolean> ] [-Enabled <Boolean> ] [-EncryptedNameIdRequired <Boolean> ] [-EncryptionCertificateRevocationCheck <String> ] [-MetadataFile <String> ] [-MonitoringEnabled <Boolean> ] [-Notes <String> ] [-PassThru] [-ProtocolProfile <String> ] [-RequiredNameIdFormat <Uri> ] [-SamlAuthenticationRequestIndex <UInt16> ] [-SamlAuthenticationRequestParameters <String> ] [-SamlAuthenticationRequestProtocolBinding <String> ] [-SignatureAlgorithm <String> ] [-SignedSamlRequestsRequired <Boolean> ] [-SigningCertificateRevocationCheck <String> ] [-Confirm] [-WhatIf] [ <CommonParameters>]

Parameter Set: MetadataUrl
Add-ADFSClaimsProviderTrust -Name <String> [-AcceptanceTransformRules <String> ] [-AcceptanceTransformRulesFile <String> ] [-AllowCreate <Boolean> ] [-AutoUpdateEnabled <Boolean> ] [-Enabled <Boolean> ] [-EncryptedNameIdRequired <Boolean> ] [-EncryptionCertificateRevocationCheck <String> ] [-MetadataUrl <Uri> ] [-MonitoringEnabled <Boolean> ] [-Notes <String> ] [-PassThru] [-ProtocolProfile <String> ] [-RequiredNameIdFormat <Uri> ] [-SamlAuthenticationRequestIndex <UInt16> ] [-SamlAuthenticationRequestParameters <String> ] [-SamlAuthenticationRequestProtocolBinding <String> ] [-SignatureAlgorithm <String> ] [-SignedSamlRequestsRequired <Boolean> ] [-SigningCertificateRevocationCheck <String> ] [-Confirm] [-WhatIf] [ <CommonParameters>]

Detailed Description

The Add-ADFSClaimsProviderTrust cmdlet adds a new claims provider trust to the Federation Service. A claims provider trust can be specified manually, or a federation metadata document may be provided to bootstrap initial configuration.

Parameters

-AcceptanceTransformRules<String>

Specifies the claim acceptance transform rules for accepting claims from this claims provider.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-AcceptanceTransformRulesFile<String>

Specifies a file containing the claim acceptance transform rules for accepting claims from this claims provider.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-AllowCreate<Boolean>

Specifies whether the SAML parameter AllowCreate should be sent in SAML requests to the claims provider. By default, this parameter is true.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-AutoUpdateEnabled<Boolean>

Specifies whether changes to the federation metadata at the MetadataURL that is being monitored are applied automatically to the configuration of the trust relationship. Partner claims, certificates, and endpoints are updated automatically if this parameter is enabled (true).

Note: When auto-update is enabled, fields that can be overwritten by metadata become read only.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-ClaimOffered<ClaimDescription[]>

Specifies the claims that are offered by this claims provider.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByValue)

Accept Wildcard Characters?

false

-Enabled<Boolean>

Specifies whether the claims provider trust is enabled or disabled.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-EncryptedNameIdRequired<Boolean>

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-EncryptionCertificate<X509Certificate2>

Specifies the certificate to be used for encrypting a NameID to this claims provider in SAML logout requests. Encrypting the NameID is optional.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-EncryptionCertificateRevocationCheck<String>

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-Identifier<String>

Specifies the unique identifier for this claims provider trust. No other trust may use an identifier from this list. Uniform Resource Identifiers (URIs) are often used as unique identifiers for a claims provider trust, but any string of characters may be used.

Aliases

none

Required?

true

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-MetadataFile<String>

Specifies a file path, such as c:\metadata.xml, that contains the federation metadata to be used when this claims provider trust is created.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-MetadataUrl<Uri>

Specifies a URL at which the federation metadata for this claims provider trust is available.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-MonitoringEnabled<Boolean>

Specifies whether periodic monitoring of this claims provider's federation metadata is enabled. The URL of the claims provider's federation metadata is specified by the MetadataUrl parameter.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-Name<String>

Specifies the friendly name of this claims provider trust.

Aliases

none

Required?

true

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-Notes<String>

Specifies any notes for this claims provider trust.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-PassThru

Passes an object to the pipeline. By default, this cmdlet does not generate any output.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-ProtocolProfile<String>

This parameter controls which protocol profiles the claims provider supports. The protocols can be one of the following: {SAML, WsFederation, WsFed-SAML}. By default, this parameter is WsFed-SAML.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-RequiredNameIdFormat<Uri>

Specifies the format that is required for NameID claims to be included in SAML requests to the claims provider. By default, no format is required.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-SamlAuthenticationRequestIndex<UInt16>

Specifies the value of AssertionConsumerServiceIndex that will be placed in SAML authentication requests that are sent to the claims provider.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-SamlAuthenticationRequestParameters<String>

Specifies which of the parameters (AssertionConsumerServiceIndex, AssertitionConsumerServiceUrl, ProtocolBinding) will be used in SAML authentication requests to the claims provider. Specify a value from the set: {None, Index, Url, ProtocolBinding, UrlWithProtocolBinding}

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-SamlAuthenticationRequestProtocolBinding<String>

Specifies the value of ProtocolBinding that will be placed in SAML authentication requests to the claims provider. Use values from the set: {Artifact, Post, Redirect}

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-SamlEndpoint<SamlEndpoint[]>

Specifies the SAML protocol endpoints for this claims provider.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByValue)

Accept Wildcard Characters?

false

-SignatureAlgorithm<String>

Specifies the signature algorithm that the claims provider uses for signing and verification. Valid values are:

http://www.w3.org/2000/09/xmldsig\#rsa-sha1

http://www.w3.org/2001/04/xmldsig-more\#rsa-sha256

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-SignedSamlRequestsRequired<Boolean>

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-SigningCertificateRevocationCheck<String>

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-TokenSigningCertificate<X509Certificate2[]>

Specifies the token-signing certificates to be used by the claims provider.

Aliases

none

Required?

true

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByValue)

Accept Wildcard Characters?

false

-WSFedEndpoint<Uri>

Specifies the WS-Federation Passive URL for this claims provider.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-Confirm

Prompts you for confirmation before running the cmdlet.

Required?

false

Position?

named

Default Value

false

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Required?

false

Position?

named

Default Value

false

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

<CommonParameters>

This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see    about_CommonParameters.

Inputs

The input type is the type of the objects that you can pipe to the cmdlet.

  • None

Outputs

The output type is the type of the objects that the cmdlet emits.

  • None

    The claims provider is responsible for collecting and authenticating a user's credentials, building up claims for that user, and packaging the claims into security tokens or Information Cards. In other words, a claims provider represents the organization for whose users the claims provider issues security tokens or Information Cards on their behalf. When you configure AD FS 2.0 to use federation services, the role of the claims provider is to enable its users to access resources that a relying party organization hosts by establishing one side of a federation trust relationship. After the trust is established, tokens and Information Cards can be presented to the relying party across the federation trust.

Notes

  • The claims provider is responsible for collecting and authenticating a user's credentials, building up claims for that user, and packaging the claims into security tokens or Information Cards. In other words, a claims provider represents the organization for whose users the claims provider issues security tokens or Information Cards on their behalf. When you configure AD FS 2.0 to use federation services, the role of the claims provider is to enable its users to access resources that a relying party organization hosts by establishing one side of a federation trust relationship. After the trust is established, tokens and Information Cards can be presented to the relying party across the federation trust.

Examples

-------------------------- EXAMPLE 1 --------------------------

Description

-----------

Adds a claims provider trust named Fabrikam for federation.

C:\PS>Add-ADFSClaimProviderTrust -Name 'Fabrikam' -MetadataURL 'https://fabrikam.com/federationmetadata/2007-06/federationmetadata.xml'

Disable-ADFSClaimsProviderTrust

Enable-ADFSClaimsProviderTrust

Get-ADFSClaimsProviderTrust

Remove-ADFSClaimsProviderTrust

Set-ADFSClaimsProviderTrust

Update-ADFSClaimsProviderTrust