locked
Use powershell to create ADFS relying party trusts and rules RRS feed

  • Question

  • Does anyone have a powershell script that creates the relying party trust and all of the rules required for claims-based authentication and IFD setup in CRM 2011?

    Those 3 rules you have to go through, once each for internal and IFD access, are a major pain when you're doing them over and over again troubleshooting.

    Thanks!


    Blog: http://andrewbschultz.com @andrewbschultz

    Saturday, March 17, 2012 2:57 PM

Answers

  • Create a text file called ClaimIssuanceRules.txt (the filename doesn't matter, just name it anything descriptive you like), the content of the files are as follows:

    @RuleTemplate = "PassThroughClaims"
    @RuleName = "Pass Through UPN"
    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
     => issue(claim = c);
    
    @RuleTemplate = "PassThroughClaims"
    @RuleName = "Pass Through Primary SID"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"]
     => issue(claim = c);
    
    @RuleTemplate = "MapClaims"
    @RuleName = "Transform Windows Account Name to Name"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
     => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", 
        Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType
    	= c.ValueType);

    Then run the following PowerShell command

    Add-ADFSRelyingPartyTrust -Name CRMTrust -MetadataUrl "https://YOURCRMServerURL/FederationMetadata/2007-06/FederationMetadata.xml" -IssuanceTransformRulesFile "C:\ClaimIssuanceRules.txt" -AutoUpdateEnabled:$true -MonitoringEnabled:$true

    In the above command you need to change the name parameter to the Display name of the Relying Party Trust (this is the Display name you will see in ADFS interface). Change the Host of the MetadataUrl parameter to that of your CRM server. Change the -IssuanceTransformRulesFile to the path of the file you created in the first step.


    http://sherifelmetainy.blogspot.com/


    Sunday, March 18, 2012 3:50 PM

All replies

  • Create a text file called ClaimIssuanceRules.txt (the filename doesn't matter, just name it anything descriptive you like), the content of the files are as follows:

    @RuleTemplate = "PassThroughClaims"
    @RuleName = "Pass Through UPN"
    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
     => issue(claim = c);
    
    @RuleTemplate = "PassThroughClaims"
    @RuleName = "Pass Through Primary SID"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"]
     => issue(claim = c);
    
    @RuleTemplate = "MapClaims"
    @RuleName = "Transform Windows Account Name to Name"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
     => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", 
        Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType
    	= c.ValueType);

    Then run the following PowerShell command

    Add-ADFSRelyingPartyTrust -Name CRMTrust -MetadataUrl "https://YOURCRMServerURL/FederationMetadata/2007-06/FederationMetadata.xml" -IssuanceTransformRulesFile "C:\ClaimIssuanceRules.txt" -AutoUpdateEnabled:$true -MonitoringEnabled:$true

    In the above command you need to change the name parameter to the Display name of the Relying Party Trust (this is the Display name you will see in ADFS interface). Change the Host of the MetadataUrl parameter to that of your CRM server. Change the -IssuanceTransformRulesFile to the path of the file you created in the first step.


    http://sherifelmetainy.blogspot.com/


    Sunday, March 18, 2012 3:50 PM
  • Thanks Sherif! That's very helpful!

    Blog: http://andrewbschultz.com @andrewbschultz

    Thursday, March 22, 2012 7:09 PM
  • Hi Sherif,

    Where is the Command?

    Friday, August 17, 2012 12:22 PM