Is there a way to create instances of MSFT_AdfsIssuanceTrans

Hi <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="

Thank you, <a class="user-mention notranslate" data-hovercard-type="user" data-hoverca

Excellent! Thank you, <a class="user-mention notranslate" data-hovercard-type="user" d

Reusing instances of MSFT_AdfsIssuanceTransformRule about adfsdsc HOT 4 CLOSED

x-guardian commented on September 14, 2024

Reusing instances of MSFT_AdfsIssuanceTransformRule

from adfsdsc.

Comments (4)

X-Guardian commented on September 14, 2024

Hi @CNBoland, yes there is, using an array of CIMInstance objects. You can see an example of this in the AdfsWebApiApplication unit tests: https://github.com/X-Guardian/AdfsDsc/blob/master/Tests/Unit/MSFT_AdfsWebApiApplication.Tests.ps1

from adfsdsc.

CNBoland commented on September 14, 2024

Thank you, @X-Guardian. I tried that approach from the test project. This is what my code looks like:

$ClaimSet_Primary_Claims = [CIMInstance[]]@(
    New-CimInstance `
        -ClassName MSFT_AdfsIssuanceTransformRule `
        -Namespace root/microsoft/Windows/DesiredStateConfiguration `
        -ClientOnly `
        -Property @{
            TemplateName = 'CustomClaims'
            Name         = 'Token-Groups - Unqualified Names => Role'
            CustomRule   = 'c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
                              => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";tokenGroups;{0}", param = c.Value);'}
    );

AdfsWebApiApplication APAGoService2
{
	. . .
	[IssuanceTransformRules](url)        = $ClaimSet_Primary_Claims
	. . .
}

and receive the following error when generating the .mof:

Compilation errors occurred while processing configuration 'APAGo_AppGroup'. Please review the errors 
reported in error stream and modify your configuration code appropriately.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfigur
ation.psm1:3917 char:5
+     throw $ErrorRecord
+     ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (APAGo_AppGroup:String) [], InvalidOperationException
    + FullyQualifiedErrorId : FailToProcessConfiguration

The localhost.mof.error contains this relevant content:

...
 IssuanceTransformRules = {
    "MSFT_AdfsIssuanceTransformRule"
};
...

However, when I use inline MSFT_AdfsIssuanceTransformRule:

AdfsWebApiApplication APAGoService2
{
	. . .
	<IssuanceTransformRules        = @(
		MSFT_AdfsIssuanceTransformRule
		{
			TemplateName = 'CustomClaims'
			Name         = 'Token-Groups - Unqualified Names => Role'
			CustomRule   = 'c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
							=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";tokenGroups;{0}", param = c.Value);'
		}
	. . .
}

the localhost.mof file generates successfully and contains this relevant content:

...
instance of MSFT_AdfsIssuanceTransformRule as $MSFT_AdfsIssuanceTransformRule1ref
{
CustomRule = "c:[Type == \"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname\", Issuer == \"AD AUTHORITY\"]\n                                        => issue(store = \"Active Directory\", types = (\"http://schemas.microsoft.com/ws/2008/06/identity/claims/role\"), query = \";tokenGroups;{0}\", param = c.Value);";
 Name = "Token-Groups - Unqualified Names => Role";
 TemplateName = "CustomClaims";

};
...
 IssuanceTransformRules = {
    $MSFT_AdfsIssuanceTransformRule1ref
};
...

Could it be that an array of CIMInstance is incompatible with AdfsWebApiApplication.IssuanceTransformRules property?

from adfsdsc.

X-Guardian commented on September 14, 2024

For future reference, this can be achieved using the following pattern:

#Requires -module AdfsDsc

<#
    .DESCRIPTION
        This configuration will add a Web API application role to an application in Active Directory Federation
        Services (AD FS).
#>

$ConfigurationData = @{
    AllNodes       = @(
        @{
            Nodename = "localhost"
        }
    )

    TransformRules = @(
        @{
            TemplateName = 'LdapClaims'
            Name         = 'App1 Ldap Claims'
            LdapClaims   = @(
                @{
                    LdapAttribute     = 'mail'
                    OutgoingClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
                }
                @{
                    LdapAttribute     = 'sn'
                    OutgoingClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'
                }
            )
        }
    )
}

Configuration AdfsWebApiApplication_LdapClaims_IssuanceTransformRules_Config
{
    param()

    Import-DscResource -ModuleName AdfsDsc

    Node localhost
    {
        AdfsApplicationGroup AppGroup1 {
            Name        = 'AppGroup1'
            Description = "This is the AppGroup1 Description"
        }

        $issuanceTransformRules = @()
        foreach ($transformRule in $ConfigurationData.TransformRules) {
            $ldapMapping = @()
            foreach ($ldapClaim in $transformRule.LdapClaims) {
                $ldapMapping += MSFT_AdfsLdapMapping {
                    LdapAttribute     = $ldapClaim.LdapAttribute
                    OutgoingClaimType = $ldapClaim.OutgoingClaimType
                }
            }

            $issuanceTransformRules += MSFT_AdfsIssuanceTransformRule {
                TemplateName   = $transformRule.TemplateName
                Name           = $transformRule.Name
                AttributeStore = 'Active Directory'
                LdapMapping    = $ldapMapping
            }
        }
    
        AdfsWebApiApplication WebApiApp1 {
            Name                          = 'AppGroup1 - App1 Web API'
            ApplicationGroupIdentifier    = 'AppGroup1'
            Identifier                    = 'e7bfb303-c5f6-4028-a360-b6293d41338c'
            Description                   = 'App1 Web Api'
            AccessControlPolicyName       = 'Permit everyone'
            AlwaysRequireAuthentication   = $false
            AllowedClientTypes            = 'Public', 'Confidential'
            IssueOAuthRefreshTokensTo     = 'AllDevices'
            NotBeforeSkew                 = 0
            RefreshTokenProtectionEnabled = $true
            RequestMFAFromClaimsProviders = $false
            TokenLifetime                 = 0
            IssuanceTransformRules        = $issuanceTransformRules
        }

        AdfsWebApiApplication WebApiApp2 {
            Name                          = 'AppGroup1 - App2 Web API'
            ApplicationGroupIdentifier    = 'AppGroup1'
            Identifier                    = '809ec660-e89f-4ea6-8492-5e72df0dee9a'
            Description                   = 'App2 Web Api'
            AccessControlPolicyName       = 'Permit everyone'
            AlwaysRequireAuthentication   = $false
            AllowedClientTypes            = 'Public', 'Confidential'
            IssueOAuthRefreshTokensTo     = 'AllDevices'
            NotBeforeSkew                 = 0
            RefreshTokenProtectionEnabled = $true
            RequestMFAFromClaimsProviders = $false
            TokenLifetime                 = 0
            IssuanceTransformRules        = $issuanceTransformRules
        }
    }
}

from adfsdsc.

CNBoland commented on September 14, 2024

Excellent! Thank you, @X-Guardian!

from adfsdsc.

Reusing instances of MSFT_AdfsIssuanceTransformRule about adfsdsc HOT 4 CLOSED

Comments (4)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent