Managing Trust Policy
This topic contains example scripts that you can use to manage ADFS Trust Policy.
C# Scripts
Set Up Configurable Namespaces in the Trust Policy File
You can edit the Trust Policy file to configure the name and the namespace of each claim in the token sent by the Federation Services account partner (FS-A) to the Federation Services resource partner (FS-R), or to configure the namespaces of the tokens that will be accepted by the FS-R from the FS-A. This cannot be used to change the namespaces of claims in cookies.
For example, for an e-mail claim, you can configure the namespace to be "https://treyresearch" rather than the default value, "https://schemas.xmlsoap.org/claims". You can also change the name of the e-mail claim from "EmailAddress" to "EMAIL".
The Trust Policy files should have the same configuration on both the FS-A and the FS-R. If they do not match, the token sent by the FS-A might be rejected by the FS-R.
Note that ADFS ignores the values in <TrustNamespace>, <PolicyNamespace>, and <AddressingNamespace>. If these values are not matched in the Trust Policy files on both the FS-A and the FS-R, this will not cause the FS-R to reject the token sent by the FS-A.
The following code snippet shows how to configure these values:
using System;
using System.Web.Security.SingleSignOn;
// ...
TrustPolicy tp = TrustPolicy.Load(@"c:\windows\systemdata\adfs\trustpolicy.xml", false);
Namespaces configureNS = new Namespaces();
configureNS.AddressingNamespace = "treyresearch";
configureNS.CommonNameAttributeName = "test-commonclaim";
configureNS.CommonNameAttributeNamespace = "https://treyresearch";
configureNS.CommonNameNameIdentifierFormat = "http://testCNIDFormat";
configureNS.EmailAttributeName = "test-emailclaim";
configureNS.EmailAttributeNamespace = "https://treyresearch";
configureNS.EmailNameIdentifierFormat = "http://treyresearch";
configureNS.GroupAttributeName = "test-group";
configureNS.GroupAttributeNamespace = "https://treyresearch";
configureNS.NameValueAttributeNamespace = "http://treyresearch";
configureNS.PolicyNamespace = "https://treyresearch";
configureNS.TrustNamespace = "https://treyresearch";
configureNS.UpnAttributeName = "test-upn";
configureNS.UpnAttributeNamespace = "https://treyresearch";
configureNS.UpnNameIdentifierFormat = "http://treyresearch";
TrustRealm partner = null;
//Check if this is a account partner.
partner = (TrustRealm)tp.TrustedRealms[trustRealmURI];
/* If the URI is not found in the list of account partners, we look in the list of resource partners. */
if (null == partner)
{
partner = (TrustRealm)tp.TrustingRealms[trustRealmURI];
}
// If we still don't find this partner, throw an exception.
if (null == partner || String.Empty.Equals(partner))
{
throw new Exception(String.Format("Partner: {0} not found in Trust Policy file", trustRealmURI));
}
//Configure the new namespaces for this partner realm.
partner.Namespaces = newNS;
Enumerate Application Partners
This script enumerates the friendly names and URLs of all the applications serviced by the Federation Service. To run it, create a Visual Studio console application and add a reference to System.Web.Security.SingleSignOn.dll. You may need to modify the location of the Trust Policy file.
using System;
using System.Collections.Generic;
using System.Text;
using System.Web.Security.SingleSignOn;
namespace ConsoleApplication1
{
class Program
{
static void Main(string[] args)
{
TrustPolicy tp = TrustPolicy.Load(@"c:\windows\systemdata\adfs\trustpolicy.xml", false);
foreach (TrustingApplication ta in tp.TrustingApplications)
{
Console.WriteLine("{0} = {1}", ta.TrustEntryDisplayName, ta.TrustPolicyEntryUri);
}
}
}
}
VBScript Scripts
The following scripts require CScript, which can be set as the default script engine by typing "cscript /H:CScript" at a command prompt.
Create A Trust Policy File
The following example shows how to build a Trust Policy file from scratch. You will need to modify the certificate file paths, URIs, and URLs to match your configuration.
Option Explicit
Dim tpf ' Trust policy factory
Dim cf ' Claim Factory
Dim tp ' TrustPolicy
Dim crPurchaseAgent, crAuditor ' Corporate Groups
Dim ccPurchaseLimit ' Corporate Custom Claims
Dim trTrusting ' TrustingRealms
Dim trSample ' TrustedRealms
Dim app ' TrustingApplications
Dim adrPurchaseAgent, adrAuditor ' AD Groups
Dim commonSuffixXform, commonCnXform
WScript.StdOut.WriteLine("Building Trust Policy for adatum")
'
' Create factories
'
set tpf = CreateObject("System.Web.Security.SingleSignOn.TrustPolicyFactory")
set cf = CreateObject("System.Web.Security.SingleSignOn.ClaimFactory")
'
' Create the TrustPolicy
'
set tp = tpf.CreateNewTrustPolicy(True, 0) ' initialize certs, RevocationFlags.None
'
' Hosted realm attributes
'
tp.TrustPolicyEntryUri = "urn:federation:adatum"
tp.TrustEntryDisplayName = "ADATUM"
tp.LsUrl = "https://contoso/adatum/ls/"
tp.VerificationMethod.AddNewTrustedCertificate("c:\websso\certs\contoso.cer")
tp.CookiePath = "/adatum"
tp.LogonAcceleratorTokenLifetimeInMinutes = 1
'
' Corporate Claims
'
'
' - Corporate Groups
'
set crPurchaseAgent = cf.CreateGroup("PurchaseAgent")
tp.CorporateClaims.GroupClaims.Add(crPurchaseAgent)
set crAuditor = cf.CreateGroup("Auditor")
tp.CorporateClaims.GroupClaims.Add(crAuditor)
'
' - Corporate Custom claims
'
set ccPurchaseLimit = cf.CreateCustom("PurchaseLimit")
tp.CorporateClaims.CustomClaims.Add(ccPurchaseLimit)
'
' Account Stores
'
'
' - Active Directory
'
tp.TrustedAccountStores.NewActiveDirectoryStore()
tp.TrustedAccountStores.ActiveDirectory.TrustEntryDisplayName = "Active Directory"
'
' - AD Group Population
'
set adrPurchaseAgent = cf.CreateADGroupGeneration(crPurchaseAgent)
adrPurchaseAgent.Sids.Add("S-1-5-21-3081723463-1087348054-3379165843-1114") 'user
tp.TrustedAccountStores.ActiveDirectory.GroupGenerations.Add(adrPurchaseAgent)
set adrAuditor = cf.CreateADGroupGeneration(crAuditor)
adrAuditor.Sids.Add("S-1-5-21-3081723463-1087348054-3379165843-500") 'admin
tp.TrustedAccountStores.ActiveDirectory.GroupGenerations.Add(adrAuditor)
'
' - AD LDAP Claims
'
tp.TrustedAccountStores.ActiveDirectory.CreateLdapDirectory()
tp.TrustedAccountStores.ActiveDirectory.LdapDirectory.LdapClaimGeneration.EmailAttribute = "mail"
tp.TrustedAccountStores.ActiveDirectory.LdapDirectory.LdapClaimGeneration.CommonNameAttribute = "CN"
tp.TrustedAccountStores.ActiveDirectory.LdapDirectory.LdapClaimGeneration.CustomClaimLdapAttributes.Add(cf.CreateCustomClaimLdapAttribute(ccPurchaseLimit, "company"))
'
' Trusted Realms
'
'
' - Sample
'
set trSample = tp.NewTrustedRealm("urn:federation:sample", _
"SAMPLE", _
"https://contoso/sample/ls/", _
0) 'RevocationFlags.None
trSample.VerificationMethod.AddNewTrustedCertificate("c:\websso\certs\contoso.cer")
set commonCnXform = CreateObject("System.Web.Security.SingleSignOn.CommonNameClaimTransform")
commonCnXform.PassThroughCommonName = true
trSample.ClaimTransformation.CommonNameClaimTransformation = commonCnXform
trSample.ClaimTransformation.UpnSuffixValidationTransform.SuffixList.Add("vtestdom.nttest.sample.com")
trSample.ClaimTransformation.EmailSuffixValidationTransform.SuffixList.Add("vtestdom.nttest.sample.com")
trSample.ClaimTransformation.GroupTransformations.Add(cf.CreateGroupClaimTransform(crPurchaseAgent, "PurchasingAgent"))
trSample.ClaimTransformation.GroupTransformations.Add(cf.CreateGroupClaimTransform(crAuditor, "Auditor"))
trSample.ClaimTransformation.CustomClaimTransformations.Add(cf.CreateCustomClaimTransform(ccPurchaseLimit, "PurchaseLimit"))
'
' Trusting Realms
'
'
' - Sample
'
set trTrusting = tp.NewTrustingRealm("urn:federation:trey research", _
"Trey Research", _
"https://trey/ls/")
set commonSuffixXform = CreateObject("System.Web.Security.SingleSignOn.NameSuffixTransform")
commonSuffixXform.Suffix = "vtestdom.nttest.microsoft.com"
set commonCnXform = CreateObject("System.Web.Security.SingleSignOn.CommonNameClaimTransform")
commonCnXform.PassThroughCommonName = true
trTrusting.ClaimTransformation.UpnSuffixTransformation = commonSuffixXform
trTrusting.ClaimTransformation.EmailSuffixTransformation = commonSuffixXform
trTrusting.ClaimTransformation.CommonNameClaimTransformation = commonCnXform
trTrusting.ClaimTransformation.GroupTransformations.Add(cf.CreateGroupClaimTransform(crPurchaseAgent, "PurchasingAgent"))
trTrusting.ClaimTransformation.GroupTransformations.Add(cf.CreateGroupClaimTransform(crAuditor, "Auditor"))
trTrusting.ClaimTransformation.CustomClaimTransformations.Add(cf.CreateCustomClaimTransform(ccPurchaseLimit, "PurchaseLimit"))
'
' Applications
'
set app = tp.NewTrustingApplication("https://contoso", "SharePoint App")
'
' Claim Xform for App
'
app.ClaimTransformation.ClaimFilteringTransformation.AllowUpnClaim = true
set app = tp.NewTrustingApplication("https://contoso/simpleapp/simpleapp.aspx", "Simple App")
'
' Claim Xform for App
'
app.ClaimTransformation.ClaimFilteringTransformation.AllowUpnClaim = true
app.ClaimTransformation.ClaimFilteringTransformation.AllowEmailClaim = true
app.ClaimTransformation.ClaimFilteringTransformation.AllowCommonNameClaim = true
app.ClaimTransformation.ClaimFilteringTransformation.AllowedGroupClaimUuids.Add(crPurchaseAgent)
app.ClaimTransformation.ClaimFilteringTransformation.AllowedGroupClaimUuids.Add(crAuditor)
app.ClaimTransformation.ClaimFilteringTransformation.AllowedCustomClaimUuids.Add(ccPurchaseLimit)
WScript.StdOut.WriteLine("Outputting Trust Policy to SampleTrustPolicy.xml")
tp.Write("SampleTrustPolicy.xml")
Configure an Account Partner Federation Server
This script generates a Trust Policy file. It shows how to configure an account partner Federation server. Conventionally an account partner FS has an AD store, an optional Adam store and configuration information for one or more Resource partners.
Throughout this script, the name "adatumsts" represents a account partner and the name "treysts" represents a resource partner.
This script takes the following parameters:
The path to this FS's token signing certificate. You will need to have this certificate with private key in the Local Computer store for token signing to work.
The path of the LS client authentication certificate. This certificate is used by FS-Proxy to communicate with FS. This certificate need not be present in the certificate store of the FS computer.
The location (with the file name) where this trustpolicy file will be created. Give the complete path with the name of the file.
Option Explicit
Dim ArgObj, tokenSignCert, proxyCert, OutPath
Set ArgObj=WScript.Arguments
If ArgObj.Count <> 3 Then
WScript.StdErr.WriteLine("Usage: accountPartnerFS.vbs tokenSignCert proxyCert OutputFilePath")
WScript.Quit()
Else
tokenSignCert = ArgObj.Item(0)
proxyCert = ArgObj.Item(1)
OutPath = ArgObj.Item(2)
End If
Dim trustPolicyObj ' Trust policy factory
Dim claimsObj ' Claim Factory
Dim trustPolicy ' TrustPolicy
Dim corpGrpFormSubmitter, corpGrpFormApprover ' Corporate Groups
Dim corpCustomPosition 'Corporate Custom Claims
Dim trustingRealmTrey
Dim adGroup1, adGroup2
Dim commonSuffixXform, commonCNXform
' Create Objects/Factory
set trustPolicyObj = CreateObject("System.Web.Security.SingleSignOn.TrustPolicyFactory")
set claimsObj = CreateObject("System.Web.Security.SingleSignOn.ClaimFactory")
' Create the TrustPolicy. This instance is used to configure the
' trustpolicy file.
set trustPolicy = trustPolicyObj.CreateNewTrustPolicy(True,CheckChainExcludeRoot) ' initialize certs
trustPolicy.CookiePath="/adfs/ls"
' Hosted realm attributes
' This is the FS's URI. All FS's (one or more in case of a farm
' scenario where many FS's share a trustpolicy file) using this
' trustpolicy file should have unique URI.
trustPolicy.TrustPolicyEntryUri = "urn:federation:adatum"
' This is the Federation Service Endpoint URL.
trustPolicy.LsUrl = "https://ADATUMSTS/adfs/ls/"
' This is the certificate that will be used by this FS for verifying
' its own cookies.
trustPolicy.VerificationMethod.AddNewTrustedCertificate(tokenSignCert)
' This is certificate that is used in SSL authentication when a
' FS-Proxy talks to this FS.
trustPolicy.AddLSClientCertificate(proxyCert)
' Define Corporate Groups. Please read documentation to understand the
' concept of corporate claims.
set corpGrpFormSubmitter = claimsObj.CreateGroup("Employee")
trustPolicy.CorporateClaims.GroupClaims.Add(corpGrpFormSubmitter)
set corpGrpFormApprover = claimsObj.CreateGroup("Manager")
trustPolicy.CorporateClaims.GroupClaims.Add(corpGrpFormApprover)
' Define Corporate Custom Claims. A custom claim is a name-value pair
' entity.
set corpCustomPosition = claimsObj.CreateCustom("Position")
trustPolicy.CorporateClaims.CustomClaims.Add(corpCustomPosition)
' Active Directory Store. This is the AD store of the domain to which
' this computer is joined.
trustPolicy.TrustedAccountStores.NewActiveDirectoryStore()
trustPolicy.TrustedAccountStores.ActiveDirectory.TrustEntryDisplayName = "AD Store"
' Active Directory Group Claims Population. Here we are mapping
' corporate group claims (created above) to AD groups.
set adGroup1 = claimsObj.CreateADGroupGeneration(corpGrpFormSubmitter)
adGroup1.Sids.Add("S-1-1-0")
trustPolicy.TrustedAccountStores.ActiveDirectory.GroupGenerations.Add(adGroup1)
set adGroup2 = claimsObj.CreateADGroupGeneration(corpGrpFormApprover)
adGroup2.Sids.Add("S-1-5-11")
trustPolicy.TrustedAccountStores.ActiveDirectory.GroupGenerations.Add(adGroup2)
' Active Directory LDAP Claims. Mapping corporate claims to AD user
' account's attributes.
trustPolicy.TrustedAccountStores.ActiveDirectory.CreateLdapDirectory()
trustPolicy.TrustedAccountStores.ActiveDirectory.LdapDirectory.LdapClaimGeneration.EmailAttribute = "mail"
trustPolicy.TrustedAccountStores.ActiveDirectory.LdapDirectory.LdapClaimGeneration.CommonNameAttribute = "displayName"
trustPolicy.TrustedAccountStores.ActiveDirectory.LdapDirectory.LdapClaimGeneration.CustomClaimLdapAttributes.Add(claimsObj.CreateCustomClaimLdapAttribute(corpCustomPosition, "Title"))
' Configuring an ADAM Store
set AdamStore = trustPolicy.TrustedAccountStores.NewAdamAccountStore("urn:federation:adam", _
"ADAM Store", _
"adatumadam", _
"DC=adatum,DC=com", _
389, _
"userPrincipalName")
' ADAM LDAP Claims. Mapping corporate claims to ADAM store user
' account's attributes.
AdamStore.LdapClaimGeneration.UPNAttribute = "userPrincipalName"
AdamStore.LdapClaimGeneration.EmailAttribute = "mail"
AdamStore.LdapClaimGeneration.CommonNameAttribute = "displayName"
' ADAM Group Claims Population. This is tricky. Please read
' corresponding section in documentation to understand what is going
' on here. Too much to explain in the script.
AdamStore.LdapClaimGeneration.GroupLdapAttributes.Add(claimsObj.CreateGroupLdapAttribute(corpGrpFormSubmitter, _
"memberOf", _
"CN=ADAMTestGroup1,CN=Users,DC=adatum,DC=com"))
AdamStore.LdapClaimGeneration.GroupLdapAttributes.Add(claimsObj.CreateGroupLdapAttribute(corpGrpFormApprover, _
"memberOf", _
"CN=ADAMTestGroup2,CN=Users,DC=adatum,DC=com"))
AdamStore.LdapClaimGeneration.CustomClaimLdapAttributes.Add(claimsObj.CreateCustomClaimLdapAttribute(corpCustomPosition, "title"))
' Trusting Realms. Configuring a resource partner for this FS. A
' resource partner hosts web applications that the account partner's
' users can utilize.
' Resource partner consumes SAML tokens generated by the account
' partner.
set trustingRealmTrey = trustPolicy.NewTrustingRealm("urn:federation:trey research", _
"Trey Research", _
"https://TREYSTS/adfs/ls/")
' This instance is used to set a standard suffix for the UPN or the
' Email claim that is sent in a SAML token to the resource partner.
' The idea here is that your internal upn/email may be
' user1@ntdev.windows.stb.microsoft.com but when a SAML token is sent
' to the resource partner you want your upn/email to look like:
' user1@microsoft.com.
' Similarly here we are replacing suffix of both upn and email with
' "adatum.com".
set commonSuffixXform = CreateObject("System.Web.Security.SingleSignOn.NameSuffixTransform")
commonSuffixXform.Suffix = "adatum.com"
' Explicitly allowing corporate common name claim to be passed to the
' resource partner.
set commonCNXform = CreateObject("System.Web.Security.SingleSignOn.CommonNameClaimTransform")
commonCNXform.PassThroughCommonName = false
' Applying the suffix replacement rule to both UPN claim as well as
' Email claim.
trustingRealmTrey.ClaimTransformation.UpnSuffixTransformation = commonSuffixXform
trustingRealmTrey.ClaimTransformation.EmailSuffixTransformation = commonSuffixXform
trustingRealmTrey.ClaimTransformation.CommonNameClaimTransformation = commonCnXform
' Mapping corporate group claims to outgoing group claims. This means
' corporate group claim: Employee (defined above) will be named
' ClaimSubmitter in the SAML token that is sent to the resource
' partner.
' Similarly corporate group claim: Manager will be named as
' ClaimApprover in the SAML token that is sent to the resource partner.
trustingRealmTrey.ClaimTransformation.GroupTransformations.Add(claimsObj.CreateGroupClaimTransform(corpGrpFormSubmitter,"ClaimSubmitter"))
trustingRealmTrey.ClaimTransformation.GroupTransformations.Add(claimsObj.CreateGroupClaimTransform(corpGrpFormApprover, "ClaimApprover"))
' Mapping corporate custom claim to outgoing custom claim.
' This means corporate custom claim: Position (defined above) will be
' named ClaimApprover in the SAML token that is sent to the resource
' partner.
trustingRealmTrey.ClaimTransformation.CustomClaimTransformations.Add(claimsObj.CreateCustomClaimTransform(corpCustomPosition, "Occupation"))
' We are done with our configuration. Writing the trustpolicy file.
trustPolicy.Write(OutPath)
Configure a Resource Partner Federation Server
This script generates a Trust Policy file. It shows how to configure a resource partner Federation Server. Conventionally a resource partner has information for one or more account partners and one or more trusting web applications configured in it.
Throughout this script, the name "adatumsts" represents an account partner and the name "treysts" represents a resource partner.
This script takes the following parameters:
The path to this FS's token signing certificate. You will need to have this cert with private key in the Local Computer store for token signing to work.
The path of the LS client authentication certificate. This certificate is used by FS-Proxy to communicate with FS. This certificate need not be present in the certificate store of the FS computer.
The location (with the file name) where this trustpolicy file will be created. Give the complete path with the name of the file.
Option Explicit
Dim ArgObj, tokenSignCert, proxyCert, fsaTokenVerificationCert, OutPath
Set ArgObj=WScript.Arguments
If ArgObj.Count <> 4 Then
WScript.StdErr.WriteLine("Usage: resourcePartnerFS.vbs tokenSignCert proxyCert fsaTokenVerificationCert OutputFilePath")
WScript.Quit()
Else
tokenSignCert = ArgObj.Item(0)
proxyCert = ArgObj.Item(1)
fsaTokenVerificationCert = ArgObj.Item(2)
OutPath = ArgObj.Item(3)
End If
Dim trustPolicyObj ' Trust policy factory
Dim claimsObj ' Claim Factory
Dim trustPolicy ' TrustPolicy
Dim corpGrpFormSubmitter, corpGrpFormApprover ' Corporate Groups
Dim corpCustomPosition ' Corporate Custom Claims
Dim trustedRealmAdatum ' TrustedRealms
Dim app1,app2 ' TrustingApplications
Dim commonCNXform
' Create Objects/Factory
set trustPolicyObj = CreateObject("System.Web.Security.SingleSignOn.TrustPolicyFactory")
set claimsObj = CreateObject("System.Web.Security.SingleSignOn.ClaimFactory")
' Create the TrustPolicy. This instance is used to configure the
' trustpolicy file.
set trustPolicy = trustPolicyObj.CreateNewTrustPolicy(True,CheckChainExcludeRoot) ' initialize certs
trustPolicy.CookiePath="/adfs/ls"
' Hosted realm attributes
' This is the FS's URI. All FS's (one or more in case of a farm
' scenario where many FS's share a trustpolicy file) using this
' trustpolicy file should have unique URI.
trustPolicy.TrustPolicyEntryUri = "urn:federation:trey research"
'This is Federation Service Endpoint URL.
trustPolicy.LsUrl = "https://TREYSTS/adfs/ls/"
' This is the certificate that will be used by this FS for verifying
' it's own cookies.
trustPolicy.VerificationMethod.AddNewTrustedCertificate(tokenSignCert)
' This is certificate that is used in SSL authentication when a
' FS-Proxy talks to this FS.
trustPolicy.AddLSClientCertificate(proxyCert)
' Define Corporate Groups. Please read documentation to understand the
' concept of corporate claims.
set corpGrpFormSubmitter = claimsObj.CreateGroup("Form Submitter")
trustPolicy.CorporateClaims.GroupClaims.Add(corpGrpFormSubmitter)
set corpGrpFormApprover = claimsObj.CreateGroup("Form Approver")
trustPolicy.CorporateClaims.GroupClaims.Add(corpGrpFormApprover)
' Define Corporate Custom Claims. A custom claim is a name-value pair
' entity.
set corpCustomPosition = claimsObj.CreateCustom("Profession")
trustPolicy.CorporateClaims.CustomClaims.Add(corpCustomPosition)
' Trusted Realms. This is configuration information for an account
' partner FS.
set trustedRealmAdatum = trustPolicy.NewTrustedRealm("urn:federation:adatum", _
"ADATUM", _
"https://ADATUMSTS/adfs/ls/", _
CheckChainExcludeRoot)
trustedRealmAdatum.VerificationMethod.AddNewTrustedCertificate(fsaTokenVerificationCert)
set commonCNXform = CreateObject("System.Web.Security.SingleSignOn.CommonNameClaimTransform")
commonCNXform.PassThroughCommonName = true
trustedRealmAdatum.ClaimTransformation.CommonNameClaimTransformation = commonCNXform
' FS will check that a UPN that comes in the SAML token from the
' account partner has this suffix. If the suffix does not match
' then the token will be rejected by the FS. However in case of
' successful Group-To-UPN mapping this rule will be ignored.
trustedRealmAdatum.ClaimTransformation.UpnSuffixValidationTransform.SuffixList.Add("adatum.com")
' Similarly if Email claim is the primary identity claim in the token
' and the email suffix does not match then FS will reject this token.
' However in case of successful Group-To-UPN mapping this rule will be
' ignored.
trustedRealmAdatum.ClaimTransformation.EmailSuffixValidationTransform.SuffixList.Add("adatum.com")
' Mapping incoming group claims to corporate group claims. Mapping
' group claim ClaimSubmitter (sent in the token by the account partner)
' to corporate group claim: Form Submitter
trustedRealmAdatum.ClaimTransformation.GroupTransformations.Add(claimsObj.CreateGroupClaimTransform(corpGrpFormSubmitter, "ClaimSubmitter"))
' Similarly mapping group claim ClaimApprover(sent in the token by the
' account partner) to corporate group claim: Form Approver.
trustedRealmAdatum.ClaimTransformation.GroupTransformations.Add(claimsObj.CreateGroupClaimTransform(corpGrpFormApprover, "ClaimApprover"))
' Mapping incoming custom claim to corporate custom claim. Mapping
' custom claim Occupation (sent in the token by the account partner)
' to corporate custom claim: Profession.
trustedRealmAdatum.ClaimTransformation.CustomClaimTransformations.Add(claimsObj.CreateCustomClaimTransform(corpCustomPosition, "Occupation"))
' Doing Group to UPN claim transformation. Please read documentation to
' understand the concept of Group-To-UPN transformation.
trustedRealmAdatum.ClaimTransformation.GroupToUpnClaimTransformations.Add(claimsObj.CreateGroupToUpnClaimTransform("ClaimApprover","approver@trey.com"))
trustedRealmAdatum.ClaimTransformation.GroupToUpnClaimTransformations.Add(claimsObj.CreateGroupToUpnClaimTransform("ClaimSubmitter","submitter@trey.com"))
'Configuring a claims aware trusting web application.
set app1 = trustPolicy.NewTrustingApplication("https://WebAppMachine/simpleapp/", "Sample Claims aware web application")
app1.IsWindowsRealm = false
' Here we specify which corporate claims are configured to be passed to
' this web app.
app1.ClaimTransformation.ClaimFilteringTransformation.AllowUpnClaim = true
app1.ClaimTransformation.ClaimFilteringTransformation.AllowEmailClaim = true
app1.ClaimTransformation.ClaimFilteringTransformation.AllowCommonNameClaim = true
app1.ClaimTransformation.ClaimFilteringTransformation.AllowedGroupClaimUuids.Add(corpGrpFormSubmitter)
app1.ClaimTransformation.ClaimFilteringTransformation.AllowedGroupClaimUuids.Add(corpGrpFormApprover)
app1.ClaimTransformation.ClaimFilteringTransformation.AllowedCustomClaimUuids.Add(corpCustomPosition)
'Configuring a traditional ASP web application.
set app2 = trustPolicy.NewTrustingApplication("https://WebAppMachine/nttokenapp/", "Sample NT token web application")
app2.IsWindowsRealm = true
app2.ClaimTransformation.ClaimFilteringTransformation.AllowUpnClaim = true
app2.ClaimTransformation.ClaimFilteringTransformation.AllowEmailClaim = true
app2.ClaimTransformation.ClaimFilteringTransformation.AllowCommonNameClaim = true
app2.ClaimTransformation.ClaimFilteringTransformation.AllowedGroupClaimUuids.Add(corpGrpFormSubmitter)
app2.ClaimTransformation.ClaimFilteringTransformation.AllowedGroupClaimUuids.Add(corpGrpFormApprover)
app2.ClaimTransformation.ClaimFilteringTransformation.AllowedCustomClaimUuids.Add(corpCustomPosition)
' We are done with our configuration. Writing the trustpolicy file.
trustPolicy.Write(OutPath)
Add ADAM Account Stores to a Trust Policy File
This script adds ADAM Account Stores to a Trust Policy file.
It takes the following parameters:
The Trust Policy file to modify.
The number of ADAM Account Stores to add.
The new Trust Policy file to create.
Dim args, urnname, dispname
Dim tpFactory, tpFile, tp, outFile
Dim port
Set args=WScript.Arguments
If args.Count <> 3 Then
WScript.Echo("This script adds ADAM Account Stores to a Trust Policy file.")
WScript.Echo("")
WScript.Echo("Parameters: {input file} {quantity} {output file}")
WScript.Quit()
Else
tpFile = args.Item(0)
qty = args.Item(1)
outFile = args.Item(2)
End If
' Create Objects/Factory
set tpFactory = CreateObject("System.Web.Security.SingleSignOn.TrustPolicyFactory")
' Open the TrustPolicy
set tp = tpFactory.Load(tpFile, true) ' initialize certs
if (tp = null) Then
WScript.Echo("Error loading Trust Policy file")
WScript.Quit()
End If
' Create ADAM Account Stores
For i=1 To qty
urnname = "urn:federation:adam-" & i
dispname = "ADAM Store #" & i
port = 389 + i
set AdamStore = tp.TrustedAccountStores.NewAdamAccountStore( _
urnname, dispname, "adatumadam", "DC=adatum,DC=com", port, "userPrincipalName")
' ADAM LDAP Claims
AdamStore.LdapClaimGeneration.UPNAttribute = "userPrincipalName"
AdamStore.LdapClaimGeneration.EmailAttribute = "mail"
AdamStore.LdapClaimGeneration.CommonNameAttribute = "displayName"
Next
tp.Write(outFile)
Add Resource Partners to a Trust Policy File
This script adds resource partners to a Trust Policy file.
It takes the following parameters:
The Trust Policy file to modify.
The number of resource partners to add.
The new Trust Policy file to create.
Dim args, urnname, dispname, res
Dim tpFactory, tpFile, tp, outFile
Set args=WScript.Arguments
If args.Count <> 3 Then
WScript.Echo("This script adds Resource Partners to a Trust Policy file.")
WScript.Echo("")
WScript.Echo("Parameters: {input file} {quantity} {output file}")
WScript.Quit()
Else
tpFile = args.Item(0)
qty = args.Item(1)
outFile = args.Item(2)
End If
' Create Objects/Factory
set tpFactory = CreateObject("System.Web.Security.SingleSignOn.TrustPolicyFactory")
' Open the TrustPolicy
set tp = tpFactory.Load(tpFile, true) ' initialize certs
if (tp = null) Then
WScript.Echo("Error loading Trust Policy file")
WScript.Quit()
End If
' Create Resource Partners
For i=0 To qty-1
urnname = "urn:federation:adfsstrs_rp_" & i
dispname = "Resource #" & i
set res = tp.NewTrustingRealm(urnname, dispname, "https://adfsstrs_rp_" & i & "/adfs/ls/ClientLogon.aspx")
' Resource Partner Claims
res.ClaimTransformation.UpnSuffixTransformation.Suffix = "adfsstrs_rp_" & i & ".com"
res.ClaimTransformation.EmailSuffixTransformation.Suffix = "adfsstrs_rp_" & i & ".com"
Next
tp.Write(outFile)
Modify Realm Cookie Lifetime
The following script modifies a Trust Policy file by changing the realm cookie lifetime that is written by the resource Federation Server to a persistent cookie.
It takes the following parameters:
The Trust Policy file to modify.
The new realm cookie lifetime in days.
' VBScript source code
Option Explicit
Dim tpf ' Trust policy factory
Dim tp ' TrustPolicy
Dim filename ' Trust policy filename
Dim lifetime ' Realm lifetime in days
Dim args
Set args=WScript.Arguments
if args.Count < 2 then
WScript.Echo("Must specify Trust Policy file and realm cookie lifetime in days")
WScript.Quit
end if
filename = args.Item(0)
lifetime = CInt(args.Item(1))
'
' Create factory
'
set tpf = CreateObject("System.Web.Security.SingleSignOn.TrustPolicyFactory")
'
' Create the TrustPolicy
'
set tp = tpf.Load(filename, False) ' filename, don't initialize certs
'
' Hosted realm attributes
'
tp.RealmCookieLifetimeInDays = lifetime
tp.Write(filename)
WScript.Echo(filename & " has been updated for a realm cookie lifetime of " & lifetime & " days.")
Modify Revocation Check Settings
This script modifies a Trust Policy file by changing the revocation checking behavior used by ADFS to validate tokens. The revocation flags include:
How the FS validates its own tokens and how the web applications validate tokens issued by the FS-R (configured on this Federation Service)
How the FS-R validates tokens from each different FS-A (configured on the Account partner)
This script takes the following parameters:
The full path to the Trust Policy file.
The URI of the trust realm whose setting to change.
A revocation flag that must be one of the following:
None
CheckEndCert
CheckEndCertCacheOnly
CheckChain
CheckChainCacheOnly
CheckChainExcludeRoot
CheckChainExcludeRootCacheOnly
Option Explicit
Dim tpf ' Trust policy factory
Dim cf ' Claim Factory
Dim tpFileName ' Trust policy file name
Dim trUri ' TrustRealm Uri
Dim revFlagsStr ' RevocationFlags enum in string form
Dim tp ' TrustPolicy
Dim tr ' TrustedRealm
Dim revFlags' RevocationFlags enum
Dim found ' Did we find the realm in the Trust Policy?
'----------------------------------------
' Echo usage.
'----------------------------------------
Sub Usage()
WScript.StdErr.WriteLine("Usage:")
WScript.StdErr.WriteLine("TpCrlChk.vbs TrustPolicy.xml TrustRealmUri RevocationFlags")
WScript.Quit
End Sub
'----------------------------------------
' Fetch the RevocationFlags enum value.
'----------------------------------------
Function GetRevFlags(revFlagsStr)
If (revFlagsStr = "None") Then
GetRevFlags = 0
ElseIf (revFlagsStr = "CheckEndCert") Then
GetRevFlags = 1
ElseIf (revFlagsStr = "CheckEndCertCacheOnly") Then
GetRevFlags = 2
ElseIf (revFlagsStr = "CheckChain") Then
GetRevFlags = 3
ElseIf (revFlagsStr = "CheckChainCacheOnly") Then
GetRevFlags = 4
ElseIf (revFlagsStr = "CheckChainExcludeRoot") Then
GetRevFlags = 5
ElseIf (revFlagsStr = "CheckChainExcludeRootCacheOnly") Then
GetRevFlags = 6
Else
Call Usage()
End If
End Function
'----------------------------------------
' Get the parameters.
'----------------------------------------
Dim ArgObj
Set ArgObj = WScript.Arguments
If (ArgObj.Count < 3) Then
Call Usage()
End If
tpFileName = ArgObj.Item (0)
trUri = ArgObj.Item(1)
revFlags = GetRevFlags(ArgObj.Item(2))
'----------------------------------------
' Do the job.
'----------------------------------------
WScript.StdOut.WriteLine("Loading Trust Policy: " & tpFileName)
'
' Create factories
'
Set tpf = CreateObject("System.Web.Security.SingleSignOn.TrustPolicyFactory")
Set cf = CreateObject("System.Web.Security.SingleSignOn.ClaimFactory")
'
' Load the TrustPolicy
'
Set tp = tpf.Load(tpFileName, 0) ' initialize certs = false
'
' Find the realm and set the revocation flags
'
found = 0
If (tp.TrustPolicyEntryUri = trUri) Then
'
' Hosted realm attributes
'
WScript.StdOut.WriteLine("Changing the setting for this Federation service: " & trUri)
found = 1
tp.VerificationMethod.RevocationCheckFlags = revFlags
Else
'
' Trusted Realms
'
For Each tr in tp.TrustedRealms
If (tr.TrustPolicyEntryUri = trUri) Then
WScript.StdOut.WriteLine("Changing the setting for this Account partner: " & trUri)
found = 1
tr.VerificationMethod.RevocationCheckFlags = revFlags
Exit For 'since the Uri is unique
End If
Next
If (found = 0) Then
WScript.StdErr.WriteLine("Error: " & trUri & " is neither this Federation Service nor an Account partner.")
WScript.Quit
End If
End If
'----------------------------------------
' Save the TrustPolicy
'----------------------------------------
WScript.StdOut.Write("Saving changed Trust Policy...")
tp.Write(tpFileName)
WScript.StdOut.WriteLine("Done.")