powershell - 如何使用 Powershell 使用 SAML 1.1 配置文件设置 AD FS 2.0？

Question

我正在使用 Windows 2008 R2 Enterprise 服务器。我正在尝试编写为我们的生产服务器创建依赖方信任的脚本。我写了一个 powershell 脚本。当我手动创建依赖方信任时，我选择了 SAML 1.1 配置文件，一切正常。当我创建脚本并使用 powershell 命令 Add-ADFSRelyingPartyTrust 时，它的工作方式不同，我收到以下错误:

The Federation Service could not authorize token issuance for caller 'xxxx\xxxxx '. The caller is not authorized to request a token for the relying party 'https://example.com/forms/'. Please see event 501 with the same instance id for caller identity.

当我搜索该错误时，在我看来(尽管我可能是错的)这是一个 SAML 2.0 配置文件问题。但我需要 SAML 1.1。

这是我创建依赖方信任的代码:

Write-Host "Configuring relying party trust."
Add-ADFSRelyingPartyTrust -Identifier "$endpoint" -Name "$name" -WSFedEndpoint "$endpoint/" -SignatureAlgorithm "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
Write-Host "Configuring rules."
$ruleSet = New-ADFSClaimRuleSet -ClaimRule 'c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"), query = ";userPrincipalName,mail,givenName,sn;{0}", param = c.Value);'
Set-ADFSRelyingPartyTrust -TargetIdentifier "$endpoint" -IssuanceTransformRules $ruleSet.ClaimRulesString
Write-Host "Done."

当我对有效的依赖信任执行 GetADFSRelyingPartyTrust 并将其与无效的信任进行比较时，看到规则模板中的差异:

作品:

IssuanceAuthorizationRules : @RuleTemplate = "AllowAllAuthzRule" => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Val ue = "true");

不起作用:

IssuanceAuthorizationRules :

关于如何消除上述错误消息的任何想法？

Answer 1

通过提出问题并提供上述信息，我找到了自己的答案:

我需要将 -IssuanceAuthorizationRules 参数传递给命令。

-IssuanceAuthorizationRules '@RuleTemplate = "AllowAllAuthzRule" => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");'