Answered by:
Use powershell to create ADFS relying party trusts and rules

Question
-
Does anyone have a powershell script that creates the relying party trust and all of the rules required for claims-based authentication and IFD setup in CRM 2011?
Those 3 rules you have to go through, once each for internal and IFD access, are a major pain when you're doing them over and over again troubleshooting.
Thanks!
Blog: http://andrewbschultz.com @andrewbschultz
Saturday, March 17, 2012 2:57 PM
Answers
-
Create a text file called ClaimIssuanceRules.txt (the filename doesn't matter, just name it anything descriptive you like), the content of the files are as follows:
@RuleTemplate = "PassThroughClaims" @RuleName = "Pass Through UPN" c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(claim = c); @RuleTemplate = "PassThroughClaims" @RuleName = "Pass Through Primary SID" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"] => issue(claim = c); @RuleTemplate = "MapClaims" @RuleName = "Transform Windows Account Name to Name" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
Then run the following PowerShell command
Add-ADFSRelyingPartyTrust -Name CRMTrust -MetadataUrl "https://YOURCRMServerURL/FederationMetadata/2007-06/FederationMetadata.xml" -IssuanceTransformRulesFile "C:\ClaimIssuanceRules.txt" -AutoUpdateEnabled:$true -MonitoringEnabled:$true
In the above command you need to change the name parameter to the Display name of the Relying Party Trust (this is the Display name you will see in ADFS interface). Change the Host of the MetadataUrl parameter to that of your CRM server. Change the -IssuanceTransformRulesFile to the path of the file you created in the first step.
http://sherifelmetainy.blogspot.com/
- Edited by Sherif Elmetainy Sunday, March 18, 2012 4:40 PM
- Marked as answer by Andrew B Schultz Thursday, March 22, 2012 7:08 PM
Sunday, March 18, 2012 3:50 PM
All replies
-
Create a text file called ClaimIssuanceRules.txt (the filename doesn't matter, just name it anything descriptive you like), the content of the files are as follows:
@RuleTemplate = "PassThroughClaims" @RuleName = "Pass Through UPN" c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(claim = c); @RuleTemplate = "PassThroughClaims" @RuleName = "Pass Through Primary SID" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"] => issue(claim = c); @RuleTemplate = "MapClaims" @RuleName = "Transform Windows Account Name to Name" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
Then run the following PowerShell command
Add-ADFSRelyingPartyTrust -Name CRMTrust -MetadataUrl "https://YOURCRMServerURL/FederationMetadata/2007-06/FederationMetadata.xml" -IssuanceTransformRulesFile "C:\ClaimIssuanceRules.txt" -AutoUpdateEnabled:$true -MonitoringEnabled:$true
In the above command you need to change the name parameter to the Display name of the Relying Party Trust (this is the Display name you will see in ADFS interface). Change the Host of the MetadataUrl parameter to that of your CRM server. Change the -IssuanceTransformRulesFile to the path of the file you created in the first step.
http://sherifelmetainy.blogspot.com/
- Edited by Sherif Elmetainy Sunday, March 18, 2012 4:40 PM
- Marked as answer by Andrew B Schultz Thursday, March 22, 2012 7:08 PM
Sunday, March 18, 2012 3:50 PM -
Thanks Sherif! That's very helpful!
Blog: http://andrewbschultz.com @andrewbschultz
Thursday, March 22, 2012 7:09 PM -
Hi Sherif,
Where is the Command?
Friday, August 17, 2012 12:22 PM