Comments (4)
Hi @CNBoland, yes there is, using an array of CIMInstance
objects. You can see an example of this in the AdfsWebApiApplication
unit tests: https://github.com/X-Guardian/AdfsDsc/blob/master/Tests/Unit/MSFT_AdfsWebApiApplication.Tests.ps1
from adfsdsc.
Thank you, @X-Guardian. I tried that approach from the test project. This is what my code looks like:
$ClaimSet_Primary_Claims = [CIMInstance[]]@(
New-CimInstance `
-ClassName MSFT_AdfsIssuanceTransformRule `
-Namespace root/microsoft/Windows/DesiredStateConfiguration `
-ClientOnly `
-Property @{
TemplateName = 'CustomClaims'
Name = 'Token-Groups - Unqualified Names => Role'
CustomRule = 'c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";tokenGroups;{0}", param = c.Value);'}
);
AdfsWebApiApplication APAGoService2
{
. . .
[IssuanceTransformRules](url) = $ClaimSet_Primary_Claims
. . .
}
and receive the following error when generating the .mof:
Compilation errors occurred while processing configuration 'APAGo_AppGroup'. Please review the errors
reported in error stream and modify your configuration code appropriately.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfigur
ation.psm1:3917 char:5
+ throw $ErrorRecord
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (APAGo_AppGroup:String) [], InvalidOperationException
+ FullyQualifiedErrorId : FailToProcessConfiguration
The localhost.mof.error
contains this relevant content:
...
IssuanceTransformRules = {
"MSFT_AdfsIssuanceTransformRule"
};
...
However, when I use inline MSFT_AdfsIssuanceTransformRule
:
AdfsWebApiApplication APAGoService2
{
. . .
<IssuanceTransformRules = @(
MSFT_AdfsIssuanceTransformRule
{
TemplateName = 'CustomClaims'
Name = 'Token-Groups - Unqualified Names => Role'
CustomRule = 'c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";tokenGroups;{0}", param = c.Value);'
}
. . .
}
the localhost.mof
file generates successfully and contains this relevant content:
...
instance of MSFT_AdfsIssuanceTransformRule as $MSFT_AdfsIssuanceTransformRule1ref
{
CustomRule = "c:[Type == \"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname\", Issuer == \"AD AUTHORITY\"]\n => issue(store = \"Active Directory\", types = (\"http://schemas.microsoft.com/ws/2008/06/identity/claims/role\"), query = \";tokenGroups;{0}\", param = c.Value);";
Name = "Token-Groups - Unqualified Names => Role";
TemplateName = "CustomClaims";
};
...
IssuanceTransformRules = {
$MSFT_AdfsIssuanceTransformRule1ref
};
...
Could it be that an array of CIMInstance
is incompatible with AdfsWebApiApplication.IssuanceTransformRules
property?
from adfsdsc.
For future reference, this can be achieved using the following pattern:
#Requires -module AdfsDsc
<#
.DESCRIPTION
This configuration will add a Web API application role to an application in Active Directory Federation
Services (AD FS).
#>
$ConfigurationData = @{
AllNodes = @(
@{
Nodename = "localhost"
}
)
TransformRules = @(
@{
TemplateName = 'LdapClaims'
Name = 'App1 Ldap Claims'
LdapClaims = @(
@{
LdapAttribute = 'mail'
OutgoingClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
}
@{
LdapAttribute = 'sn'
OutgoingClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'
}
)
}
)
}
Configuration AdfsWebApiApplication_LdapClaims_IssuanceTransformRules_Config
{
param()
Import-DscResource -ModuleName AdfsDsc
Node localhost
{
AdfsApplicationGroup AppGroup1 {
Name = 'AppGroup1'
Description = "This is the AppGroup1 Description"
}
$issuanceTransformRules = @()
foreach ($transformRule in $ConfigurationData.TransformRules) {
$ldapMapping = @()
foreach ($ldapClaim in $transformRule.LdapClaims) {
$ldapMapping += MSFT_AdfsLdapMapping {
LdapAttribute = $ldapClaim.LdapAttribute
OutgoingClaimType = $ldapClaim.OutgoingClaimType
}
}
$issuanceTransformRules += MSFT_AdfsIssuanceTransformRule {
TemplateName = $transformRule.TemplateName
Name = $transformRule.Name
AttributeStore = 'Active Directory'
LdapMapping = $ldapMapping
}
}
AdfsWebApiApplication WebApiApp1 {
Name = 'AppGroup1 - App1 Web API'
ApplicationGroupIdentifier = 'AppGroup1'
Identifier = 'e7bfb303-c5f6-4028-a360-b6293d41338c'
Description = 'App1 Web Api'
AccessControlPolicyName = 'Permit everyone'
AlwaysRequireAuthentication = $false
AllowedClientTypes = 'Public', 'Confidential'
IssueOAuthRefreshTokensTo = 'AllDevices'
NotBeforeSkew = 0
RefreshTokenProtectionEnabled = $true
RequestMFAFromClaimsProviders = $false
TokenLifetime = 0
IssuanceTransformRules = $issuanceTransformRules
}
AdfsWebApiApplication WebApiApp2 {
Name = 'AppGroup1 - App2 Web API'
ApplicationGroupIdentifier = 'AppGroup1'
Identifier = '809ec660-e89f-4ea6-8492-5e72df0dee9a'
Description = 'App2 Web Api'
AccessControlPolicyName = 'Permit everyone'
AlwaysRequireAuthentication = $false
AllowedClientTypes = 'Public', 'Confidential'
IssueOAuthRefreshTokensTo = 'AllDevices'
NotBeforeSkew = 0
RefreshTokenProtectionEnabled = $true
RequestMFAFromClaimsProviders = $false
TokenLifetime = 0
IssuanceTransformRules = $issuanceTransformRules
}
}
}
from adfsdsc.
Excellent! Thank you, @X-Guardian!
from adfsdsc.
Related Issues (20)
- AdfsRelyingPartyTrust: Add Missing Parameters
- AdfsWebApiApplication: Add Support for Access Control Policy Parameters
- AdfsWebApiApplication: Add Support for Custom Access Control Policy Parameters
- AdfsContactPerson: Add Support for an Empty Contact
- AdfsOrganization: Add Support for an Empty Organization
- AdfsProperties: Remove Obsolete Properties
- AdfsFarmNode: Remove Ensure Parameter as Remove-AdfsFarmNode cmdlet is deprecated
- AdfsDsc: Migrate to using DscResource.Common Module
- AdfsGlobalAuthenticationPolicy: Errors with older Versions of ADFS HOT 1
- ADFSFarm: Install ADFS Farm without Domain Admins privileges HOT 3
- AdfsCertificate: TokenSigningCertificates Add-ADFSCertificate missing? HOT 2
- AdfsClaimsProviderTrust: New Resource Proposal HOT 2
- AdfsProperties: The property 'AdditionalErrorPageInfo' cannot be found on this object HOT 3
- AdfsWebApiApplication fails Test for CustomClaims IssuanceTransformRules HOT 2
- ADFSCertificate, ADFSFarm: Use latest cert that matches a CN HOT 3
- Declaring IssuanceTransformRules with ConfigurationData HOT 1
- AdfsWebApiApplication: Test-DscConfiguration Always Returns `$false` if Multiple `AllowedClientTypes` are Defined HOT 1
- AdfsApplicationPermission: 'Scopenames' Test expects particular order
- ADFSFarm: Test-Targetresource fails trying to use domain name as NetBIOS name
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from adfsdsc.