At one of my clients we have multiple ADFS instances, one for testing purposes and one for production usage. The information on both servers is almost the same, only the endpoints for each relying party are different.
Before we typically copied information from one server to another manually, typing over all the information. Of course this is a a cumbersome and error-prone process. I decided to simplify and automate this process with the help of some Powershell.
The good news was that the hard work was already done for me, as Brad Held already created a script for exactly that purpose:
PowerShell Gallery | Copy-RelyingPartyTrust 1.1
Here is how to use this script:
Copy-RelyingPartyTrust.ps1 -sourceRPID testing:saml:com -path C:\Folder -filename SamlTest.json -import false
As I found the script a little bit confusing I took the freedom to adapt the code and split it out in 2 separate scripts.
Here is the export script:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .DESCRIPTION | |
| Exports a Relying Party Trust from ADFS farm. | |
| -Example Export: export.ps1 -rpName localhost test | |
| Note: Based on configuration of RP may create 3-4 files - all files need to be moved to the new farm | |
| #> | |
| Param([Parameter(Mandatory = $true)] | |
| [String] | |
| $rpName | |
| ) | |
| #Backup Target RP | |
| function Export-RelyingParty { | |
| $rp = Get-AdfsRelyingPartyTrust | Where-Object { $_.Name -eq $rpName } | |
| $folder = ".\$rpName\"; | |
| if (-not (Test-Path -Path $folder)) { | |
| New-Item -Path $folder -ItemType Directory; | |
| Write-Output "Folder Created Successfully!"; | |
| } else { | |
| Write-Output "Folder already exists!"; | |
| } | |
| $currentPath = Resolve-Path -Path $folder; | |
| $filenameJSON = "$currentPath\relyingparty.json"; | |
| $rp | ConvertTo-Json | out-file $filenameJSON; | |
| Write-Host = "Completed exporting Relying PartyTrust: $filenameJSON"; | |
| Backup-IssuanceTransformRules; | |
| Backup-IssuanceAuthorizationRules; | |
| Backup-AdditionalAuthenticationRules; | |
| return $rp | |
| } | |
| #Backup Claim Issuance rules | |
| function Backup-IssuanceTransformRules { | |
| $issuanceRules = "$currentPath\IssuanceRules.txt"; | |
| $claims = $rp | Select-Object IssuanceTransformRules; | |
| # Handle spaces in the path | |
| $stream = New-Object System.IO.StreamWriter("$issuanceRules") | |
| foreach($claim in $claims.IssuanceTransformRules) { | |
| $stream.WriteLine($claim); | |
| } | |
| $stream.close(); | |
| Write-Host = "Backup file with claim rules created: $issuanceRules"; | |
| return | |
| } | |
| #Backup Issuance Authorization Rules | |
| function Backup-IssuanceAuthorizationRules { | |
| $authRules = "$currentPath\AuthorizationRules.txt"; | |
| $auths = $rp | Select-Object IssuanceAuthorizationRules; | |
| if ($auths -ne "" -and $null -ne $auths){ | |
| # Handle spaces in the path | |
| $stream = New-Object System.IO.StreamWriter("$authRules") | |
| foreach($auth in $auths.IssuanceAuthorizationRules) { | |
| $stream.WriteLine($auth); | |
| } | |
| $stream.close(); | |
| Write-Host = "Backup file with authorization rules created: $authRules"; | |
| } | |
| return | |
| } | |
| #Backup Additional Authentication Rules | |
| function Backup-AdditionalAuthenticationRules { | |
| $addRules = "$currentPath\AdditionalAuthenticationRules.txt"; | |
| $adds = $rp | Select-Object AdditionalAuthenticationRules; | |
| $boolHasValue = $false; | |
| foreach ($add in $adds.AdditionalAuthenticationRules){ | |
| if ($add -ne "" -and $null -ne $add){ | |
| $boolHasValue = $true; | |
| } | |
| } | |
| if ($boolHasValue){ | |
| # Handle spaces in the path | |
| $stream = New-Object System.IO.StreamWriter("$addRules") | |
| foreach($add in $adds.AdditionalAuthenticationRules) { | |
| $stream.WriteLine($add); | |
| } | |
| $stream.close(); | |
| Write-Host = "Backup file with AdditionalAuthenticationRules rules created: $addRules"; | |
| } | |
| return | |
| } | |
| Export-RelyingParty; | |
You can use this script like this:
export.ps1 -rpName ExampleApp Development
This will create a new ExampleApp folder with following files
- relyingparty.json: Contains all relying party data in JSON format
- AuthorizationRules.txt: contains the list of configured authorization rules
- IssuanceRules.txt: contains the list of configured claims transformation rules
- AdditionalAuthenticationrules.txt: contains any additional configured rules
And here is the import script:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .DESCRIPTION | |
| Imports a Relying Party Trust into an ADFS farm. | |
| Example Import: Import.ps1 -targetRPID http://localhost/mvp/ -targetName "mvp localhost" -path C:\mvp\ | |
| #> | |
| Param([Parameter(Mandatory = $true)] | |
| [String] | |
| $targetRPID, | |
| [Parameter(Mandatory = $true)] | |
| [String] | |
| $targetName, | |
| [Parameter(Mandatory = $true)] | |
| [String] | |
| $path | |
| ) | |
| function import-RP { | |
| #Using Hashtable to collect all of the parameters and then splat them into add-adfsrelyingpartytrust | |
| $hashTable = @{}; | |
| $rawRP = Get-Content -Path "$path\relyingparty.json" | ConvertFrom-Json; | |
| #$issueruleset = New-AdfsClaimRuleSet -ClaimRuleFile "$path\Claims-$filename"; | |
| $hashTable.add("Name", $targetName); | |
| $hashTable.add("Identifier", $targetRPID); | |
| #$hashTable.add("IssuanceTransformRulesFile", $issueruleset); | |
| #boolean values | |
| $hashTable.add("EncryptClaims", [System.Convert]::ToBoolean($rawRP.EncryptClaims)); | |
| $hashTable.add("Enabled", [System.Convert]::ToBoolean($rawRP.Enabled)); | |
| $hashTable.add("AutoUpdateEnabled", [System.Convert]::ToBoolean($rawRP.AutoUpdateEnabled)); | |
| $hashTable.add("EncryptedNameIdRequired", [System.Convert]::ToBoolean($rawRP.EncryptedNameIdRequired)); | |
| $hashTable.add("SignedSamlRequestsRequired", [System.Convert]::ToBoolean($rawRP.SignedSamlRequestsRequired)); | |
| $hashTable.add("AlwaysRequireAuthentication", [System.Convert]::ToBoolean($rawRP.AlwaysRequireAuthentication)); | |
| $hashTable.add("RequestMFAFromClaimsProviders", [System.Convert]::ToBoolean($rawRP.RequestMFAFromClaimsProviders)); | |
| $hashTable.add("EnableJWT", [System.Convert]::ToBoolean($rawRP.EnableJWT)); | |
| $hashTable.add("RefreshTokenProtectionEnabled", [System.Convert]::ToBoolean($rawRP.RefreshTokenProtectionEnabled)); | |
| $hashTable.add("MonitoringEnabled", [System.Convert]::ToBoolean($rawRP.MonitoringEnabled)); | |
| #certificate values | |
| #Encryption Certificate - There can only be one | |
| if ($rawRP.EncryptionCertificate -ne "" -and $rawRP.EncryptionCertificate -ne $null){ | |
| $enc = [System.Security.Cryptography.X509Certificates.X509Certificate2]([System.Convert]::FromBase64String([System.Convert]::ToBase64String($rawRP.EncryptionCertificate.RawData))) | |
| $hashTable.add("EncryptionCertificate", $enc); | |
| } | |
| #Signing Certificates - There may be more that one configured | |
| if ($rawRP.RequestSigningCertificate -ne "" -and $rawRP.RequestSigningCertificate -ne $null){ | |
| $i = 0; | |
| foreach ($signingCert in $rawRP.RequestSigningCertificate) { | |
| $tmpString = $signingCert.RawData; | |
| [byte[]]$tmpBytes = @($tmpString.Split(" ")); | |
| if ($i -eq 0) { | |
| $tmpCert = [System.Security.Cryptography.X509Certificates.X509Certificate2]([System.Convert]::FromBase64String([System.Convert]::ToBase64String($tmpBytes))) | |
| $certs = @($tmpCert); | |
| $i += 1; | |
| }else { | |
| $tmpCert = [System.Security.Cryptography.X509Certificates.X509Certificate2]([System.Convert]::FromBase64String([System.Convert]::ToBase64String($tmpBytes))) | |
| $certs += $tmpCert; | |
| $i += 1; | |
| } | |
| } | |
| $hashTable.add("RequestSigningCertificate", $certs); | |
| } | |
| #uris | |
| if ($rawRP.WSFedEndPoint -ne "" -and $rawRP.WSFedEndPoint -ne $null){ | |
| $hashTable.add("WSFedEndPoint", [System.Uri]$rawRP.WSFedEndPoint); | |
| } | |
| #text/misc values | |
| if ($rawRP.Notes -ne "" -and $rawRP.Notes -ne $null){ | |
| $hashTable.add("Notes", $rawRP.Notes); | |
| } | |
| else { | |
| $dt = Get-Date; | |
| $hashTable.add("Notes", $dt); | |
| } | |
| if ($rawRP.ClaimAccepted -ne "" -and $rawRP.ClaimAccepted -ne $null){ | |
| $hashTable.add("ClaimAccepted", $rawRP.ClaimAccepted); | |
| } | |
| if ($rawRP.TokenLifetime -ne "" -and $rawRP.TokenLifetime -ne $null){ | |
| $hashTable.add("TokenLifetime", $rawRP.TokenLifetime); | |
| } | |
| if ($rawRP.NotBeforeSkew -ne "" -and $rawRP.NotBeforeSkew -ne $null){ | |
| $hashTable.add("NotBeforeSkew", $rawRP.NotBeforeSkew); | |
| } | |
| if ($rawRP.ProtocolProfile -ne "" -and $rawRP.ProtocolProfile -ne $null){ | |
| $hashTable.add("ProtocolProfile", $rawRP.ProtocolProfile); | |
| } | |
| if ($rawRP.SignatureAlgorithm -ne "" -and $rawRP.SignatureAlgorithm -ne $null){ | |
| $hashTable.add("SignatureAlgorithm", $rawRP.SignatureAlgorithm); | |
| } | |
| if ($rawRP.SamlResponseSignature -ne "" -and $rawRP.SamlResponseSignature -ne $null){ | |
| $hashTable.add("SamlResponseSignature", $rawRP.SamlResponseSignature); | |
| } | |
| if ($rawRP.AllowedClientTypes -ne "" -and $rawRP.AllowedClientTypes -ne $null){ | |
| $hashTable.add("AllowedClientTypes", $rawRP.AllowedClientTypes); | |
| } | |
| if ($rawRP.IssueOAuthRefreshTokensTo -ne "" -and $rawRP.IssueOAuthRefreshTokensTo -ne $null){ | |
| $hashTable.add("IssueOAuthRefreshTokensTo", $rawRP.IssueOAuthRefreshTokensTo); | |
| } | |
| if ($rawRP.AdditionalWSFedEndpoint -ne "" -and $rawRP.AdditionalWSFedEndpoint -ne $null){ | |
| $hashTable.add("AdditionalWSFedEndpoint", $rawRP.AdditionalWSFedEndpoint); | |
| } | |
| if ($rawRP.AllowedAuthenticationClassReferences -ne "" -and $rawRP.AllowedAuthenticationClassReferences -ne $null){ | |
| $hashTable.add("AllowedAuthenticationClassReferences", $rawRP.AllowedAuthenticationClassReferences); | |
| } | |
| switch ($rawRP.SigningCertificateRevocationCheck){ | |
| 0 { | |
| $hashTable.add("SigningCertificateRevocationCheck", 'None'); | |
| } | |
| 1 { | |
| $hashTable.add("SigningCertificateRevocationCheck", 'CheckEndCert'); | |
| } | |
| 2 { | |
| $hashTable.add("SigningCertificateRevocationCheck", 'CheckEndCertCacheOnly'); | |
| } | |
| 3 { | |
| $hashTable.add("SigningCertificateRevocationCheck", 'CheckChain'); | |
| } | |
| 4 { | |
| $hashTable.add("SigningCertificateRevocationCheck", 'CheckChainCacheOnly'); | |
| } | |
| 5 { | |
| $hashTable.add("SigningCertificateRevocationCheck", 'CheckChainExcludeRoot'); | |
| } | |
| 6 { | |
| $hashTable.add("SigningCertificateRevocationCheck", 'CheckChainExcludeRootCacheOnly'); | |
| } | |
| } | |
| switch ($rawRP.EncryptionCertificateRevocationCheck){ | |
| 0 { | |
| $hashTable.add("EncryptionCertificateRevocationCheck", 'None'); | |
| } | |
| 1 { | |
| $hashTable.add("EncryptionCertificateRevocationCheck", 'CheckEndCert'); | |
| } | |
| 2 { | |
| $hashTable.add("EncryptionCertificateRevocationCheck", 'CheckEndCertCacheOnly'); | |
| } | |
| 3 { | |
| $hashTable.add("EncryptionCertificateRevocationCheck", 'CheckChain'); | |
| } | |
| 4 { | |
| $hashTable.add("EncryptionCertificateRevocationCheck", 'CheckChainCacheOnly'); | |
| } | |
| 5 { | |
| $hashTable.add("EncryptionCertificateRevocationCheck", 'CheckChainExcludeRoot'); | |
| } | |
| 6 { | |
| $hashTable.add("EncryptionCertificateRevocationCheck", 'CheckChainExcludeRootCacheOnly'); | |
| } | |
| } | |
| Write-Output @hashTable; | |
| Add-AdfsRelyingPartyTrust @hashTable; | |
| #Add SAML Endpoints if neccesary | |
| if ($rawRP.SamlEndpoints -ne "" -and $rawRP.SamlEndpoints -ne $null){ | |
| $EPs = New-Object -TypeName "System.Collections.ArrayList"; | |
| foreach ($saml in $rawRP.SamlEndpoints){ | |
| $Binding = $saml.Binding; | |
| $Index = $saml.Index; | |
| $IsDefault = $saml.IsDefault; | |
| $Protocol = $saml.Protocol; | |
| $Uri = $saml.Location; | |
| if ($saml.ResponseLocation -ne "null") { | |
| $ResponseUri = $saml.ResponseLocation; | |
| $EP = New-AdfsSamlEndpoint -Binding $Binding -Index $Index -IsDefault $IsDefault -Protocol $Protocol -Uri $Uri -ResponseUri $ResponseUri; | |
| } | |
| else { | |
| $EP = New-AdfsSamlEndpoint -Binding $Binding -Index $Index -IsDefault $IsDefault -Protocol $Protocol -Uri $Uri; | |
| } | |
| #write-host $Uri; | |
| $EPs.Add($EP); | |
| } | |
| Set-AdfsRelyingPartyTrust -TargetIdentifier $targetRPID -SamlEndpoint $EPs; | |
| } | |
| #Get the claim rules/authorization/additional authentication created | |
| Import-Claims; | |
| } | |
| function Import-Claims { | |
| $issuanceRules = "$path\IssuanceRules.txt"; | |
| if (Test-Path $issuanceRules -PathType Leaf) { | |
| #$ruleset = New-AdfsClaimRuleSet -ClaimRuleFile $issuanceRules; | |
| Set-AdfsRelyingPartyTrust -TargetIdentifier $targetRPID -IssuanceTransformRulesFile $issuanceRules; | |
| } | |
| $authorizationRules = "$path\AuthorizationRules.txt"; | |
| if (Test-Path $authorizationRules -PathType Leaf) { | |
| #$ruleset = New-AdfsClaimRuleSet -ClaimRuleFile $authorizationRules; | |
| Set-AdfsRelyingPartyTrust -TargetIdentifier $targetRPID -IssuanceAuthorizationRulesFile $authorizationRules; | |
| } | |
| $additionalRules = "$path\AdditionalAuthenticationRules.txt"; | |
| if (Test-Path $additionalRules -PathType Leaf) { | |
| #$ruleset = New-AdfsClaimRuleSet -ClaimRuleFile $additionalRules; | |
| Set-AdfsRelyingPartyTrust -TargetIdentifier $targetRPID -IssuanceAuthorizationRulesFile $additionalRules; | |
| } | |
| } | |
| function Validate-RP { | |
| $rp = Get-AdfsRelyingPartyTrust -Identifier $targetRPID; | |
| if ($null -ne $rp) { | |
| throw "Relying Party Trust already exists."; | |
| } | |
| else { | |
| $Result = import-RP; | |
| $Result; | |
| Write-Output "Relying party $targetName created."; | |
| } | |
| } | |
| Validate-RP; |
You can use this script like this:
import.ps1 -targetRPID http://acceptance.environment.be/exampleapp/ -targetName "ExampleApp" -path C:\exampleapp\
This will create a new relying party using the specified identifier while copying over all other data from the generated files.
Remark: The scripts should be executed directly on the ADFS instance