Project status about adfsdsc HOT 8 CLOSED

Hi Greg, this Dsc resource like all the others is community owned. I took over an older module, xAdfs which was initially developed by jcwalker about 4 years ago, but hadn't been touched much since. This module was pretty much started again from scratch, with my personal requirement being able to manage the install of a 2016/2019 ADFS farm along with ADFS Application Groups for OpenId Connect enabled applications and Web APIs.

I am actively developing it at the moment, and am hoping to publish an initial version to the PowerShell Gallery as soon as I have finished the AdfsWebApiApplication resource.

Once the module is reasonably stable, I will submit it to be maintained as one of the DscCommunity modules.

What type of Relying Parties would you be hoping to manage with it? WS-fed, SAML, OAuth or a mix?

The AdfsRelyingPartyTrust resource currently supports relying parties with remote metadata as well as manually configured WS-Fed, but manually configured SAML is not currently implemented. This requires a SamlEndpoint object that I haven't implemented yet which will need to use a CIM EmbeddedInstance class.

I'm happy to accept PR's and issues on the module. What's your experience writing Dsc resources?

from adfsdsc.

Thanks for clarifying. I questioned because I saw Microsoft references and the resource did not have the traditional 'x' prefix. My needs would be primarily on AD FS 2016 and soon 2019 with mostly WSFed/SAML. One thing that stood out was the Authorization Issuance Rules appeared to be using ADFS 2.0 standards as 2016 introduced Access Policies.

I have some experience developing custom resources but not a fan of the older schema.mof requirements. But I can be consistent and align with the approach you have currently.

I'll give AdfsRelyingPartyTrust a spin and let you know what I think - I should be able to submit a PR to address gaps relating to SAML endpoints too.

from adfsdsc.

I also feel these have more value if supported with Invoke-DscResource as requiring LCM is often a deal breaker for some.

from adfsdsc.

I can confirm that both IssuanceTransformationRules & IssuanceAuthorizationRules do not work on AD FS 2016. I'll see what I can do.

from adfsdsc.

The 'x' prefix is legacy and shouldn't be used with new resources. See HighQualityModuleGuidelines.

I use Invoke-DscResource for debugging the resources, so that shouldn't be a problem.

I'm surprised IssuanceTransformationRules and IssuanceAuthorizationRules don't work as they are just strings, so let me know what you find.

Yes, Access Control Policies need adding, both to the AdfsRelyingPartyTrust resource, and as a new resource themselves so custom policies can be created. Supporting what is available through the ADFS GUI should be reasonably easy, but fully supporting this may be very difficult. Do you use any complicated custom policies?

The other properties of the RelyingPartyTrust resource that haven't been implemented are EncryptionCertificate and RequestSigningCertificate. These need to be X509Certificate2 objects, so these would be challenging to implement. Do you need these?

from adfsdsc.

I've raised issue #2 for adding Access Control Policy support to the AdfsRelyingPartyTrust resource.

from adfsdsc.

I've raised issue #3 for adding SAML endpoint support to the AdfsRelyingPartyTrust resource.

from adfsdsc.

I'm closing this for now as we have had an official 1.0 release. If you have any problems with individual resources, please raise issues for them.

from adfsdsc.