Managing Trust Policy

 

This topic contains example scripts that you can use to manage ADFS Trust Policy.

Set Up Configurable Namespaces in the Trust Policy File

You can edit the Trust Policy file to configure the name and the namespace of each claim in the token sent by the Federation Services account partner (FS-A) to the Federation Services resource partner (FS-R), or to configure the namespaces of the tokens that will be accepted by the FS-R from the FS-A. This cannot be used to change the namespaces of claims in cookies.

For example, for an e-mail claim, you can configure the namespace to be "https://treyresearch" rather than the default value, "http://schemas.xmlsoap.org/claims". You can also change the name of the e-mail claim from "EmailAddress" to "EMAIL".

The Trust Policy files should have the same configuration on both the FS-A and the FS-R. If they do not match, the token sent by the FS-A might be rejected by the FS-R.

Note that ADFS ignores the values in <TrustNamespace>, <PolicyNamespace>, and <AddressingNamespace>. If these values are not matched in the Trust Policy files on both the FS-A and the FS-R, this will not cause the FS-R to reject the token sent by the FS-A.

The following code snippet shows how to configure these values:

using System;  
using System.Web.Security.SingleSignOn;  
  
// ...  
  
TrustPolicy tp = TrustPolicy.Load(@"c:\windows\systemdata\adfs\trustpolicy.xml", false);  

Namespaces configureNS = new Namespaces();

configureNS.AddressingNamespace = "treyresearch";

configureNS.CommonNameAttributeName = "test-commonclaim";

configureNS.CommonNameAttributeNamespace = "https://treyresearch";

configureNS.CommonNameNameIdentifierFormat = "http://testCNIDFormat";

configureNS.EmailAttributeName = "test-emailclaim";

configureNS.EmailAttributeNamespace = "https://treyresearch";

configureNS.EmailNameIdentifierFormat = "http://treyresearch";

configureNS.GroupAttributeName = "test-group";

configureNS.GroupAttributeNamespace = "https://treyresearch";

configureNS.NameValueAttributeNamespace = "http://treyresearch";

configureNS.PolicyNamespace = "https://treyresearch";

configureNS.TrustNamespace = "https://treyresearch";

configureNS.UpnAttributeName = "test-upn";

configureNS.UpnAttributeNamespace = "https://treyresearch";

configureNS.UpnNameIdentifierFormat = "http://treyresearch";

TrustRealm partner = null;

//Check if this is a account partner.

partner = (TrustRealm)tp.TrustedRealms[trustRealmURI];

/* If the URI is not found in the list of account partners, we look in the list of resource partners. */

if (null == partner)

{

partner = (TrustRealm)tp.TrustingRealms[trustRealmURI];

}

// If we still don't find this partner, throw an exception.

if (null == partner || String.Empty.Equals(partner))

{

throw new Exception(String.Format("Partner: {0} not found in Trust Policy file", trustRealmURI));

}

//Configure the new namespaces for this partner realm.

partner.Namespaces = newNS;

Enumerate Application Partners

This script enumerates the friendly names and URLs of all the applications serviced by the Federation Service. To run it, create a Visual Studio console application and add a reference to System.Web.Security.SingleSignOn.dll. You may need to modify the location of the Trust Policy file.

using System;  
using System.Collections.Generic;  
using System.Text;  
using System.Web.Security.SingleSignOn;  
  
namespace ConsoleApplication1  
{  
    class Program  
    {  
        static void Main(string[] args)  
        {  
            TrustPolicy tp = TrustPolicy.Load(@"c:\windows\systemdata\adfs\trustpolicy.xml", false);  
  
            foreach (TrustingApplication ta in tp.TrustingApplications)  
            {  
                Console.WriteLine("{0} = {1}", ta.TrustEntryDisplayName, ta.TrustPolicyEntryUri);  
            }  
        }  
    }  
}  

The following scripts require CScript, which can be set as the default script engine by typing "cscript /H:CScript" at a command prompt.

Create A Trust Policy File

The following example shows how to build a Trust Policy file from scratch. You will need to modify the certificate file paths, URIs, and URLs to match your configuration.

Option Explicit  
  
Dim tpf ' Trust policy factory  
Dim cf ' Claim Factory  
Dim tp ' TrustPolicy  
Dim crPurchaseAgent, crAuditor ' Corporate Groups  
Dim ccPurchaseLimit ' Corporate Custom Claims  
Dim trTrusting ' TrustingRealms  
Dim trSample ' TrustedRealms  
Dim app ' TrustingApplications  
Dim adrPurchaseAgent, adrAuditor ' AD Groups  
Dim commonSuffixXform, commonCnXform  
  
WScript.StdOut.WriteLine("Building Trust Policy for adatum")  
  
'  
' Create factories  
'  
set tpf = CreateObject("System.Web.Security.SingleSignOn.TrustPolicyFactory")  
set cf = CreateObject("System.Web.Security.SingleSignOn.ClaimFactory")  
  
'  
' Create the TrustPolicy  
'  
set tp = tpf.CreateNewTrustPolicy(True, 0) ' initialize certs, RevocationFlags.None  
  
'  
' Hosted realm attributes  
'  
tp.TrustPolicyEntryUri = "urn:federation:adatum"  
tp.TrustEntryDisplayName = "ADATUM"  
tp.LsUrl = "https://contoso/adatum/ls/"  
tp.VerificationMethod.AddNewTrustedCertificate("c:\websso\certs\contoso.cer")  
tp.CookiePath = "/adatum"  
tp.LogonAcceleratorTokenLifetimeInMinutes = 1  
  
'  
' Corporate Claims  
'  
'   
' - Corporate Groups   
'  
set crPurchaseAgent = cf.CreateGroup("PurchaseAgent")  
tp.CorporateClaims.GroupClaims.Add(crPurchaseAgent)  
set crAuditor = cf.CreateGroup("Auditor")  
tp.CorporateClaims.GroupClaims.Add(crAuditor)  
'  
' - Corporate Custom claims  
'  
set ccPurchaseLimit = cf.CreateCustom("PurchaseLimit")  
tp.CorporateClaims.CustomClaims.Add(ccPurchaseLimit)  
  
'  
' Account Stores  
'  
'  
' - Active Directory  
'  
tp.TrustedAccountStores.NewActiveDirectoryStore()  
tp.TrustedAccountStores.ActiveDirectory.TrustEntryDisplayName = "Active Directory"  
'  
' - AD Group Population  
'  
set adrPurchaseAgent = cf.CreateADGroupGeneration(crPurchaseAgent)  
adrPurchaseAgent.Sids.Add("S-1-5-21-3081723463-1087348054-3379165843-1114") 'user  
tp.TrustedAccountStores.ActiveDirectory.GroupGenerations.Add(adrPurchaseAgent)  
set adrAuditor = cf.CreateADGroupGeneration(crAuditor)  
adrAuditor.Sids.Add("S-1-5-21-3081723463-1087348054-3379165843-500") 'admin  
tp.TrustedAccountStores.ActiveDirectory.GroupGenerations.Add(adrAuditor)  
  
'  
' - AD LDAP Claims  
'  
tp.TrustedAccountStores.ActiveDirectory.CreateLdapDirectory()  
tp.TrustedAccountStores.ActiveDirectory.LdapDirectory.LdapClaimGeneration.EmailAttribute = "mail"  
tp.TrustedAccountStores.ActiveDirectory.LdapDirectory.LdapClaimGeneration.CommonNameAttribute = "CN"  
tp.TrustedAccountStores.ActiveDirectory.LdapDirectory.LdapClaimGeneration.CustomClaimLdapAttributes.Add(cf.CreateCustomClaimLdapAttribute(ccPurchaseLimit, "company"))  
  
'  
' Trusted Realms  
'  
'  
' - Sample  
'  
set trSample = tp.NewTrustedRealm("urn:federation:sample", _  
    "SAMPLE", _  
    "https://contoso/sample/ls/", _  
    0) 'RevocationFlags.None  
trSample.VerificationMethod.AddNewTrustedCertificate("c:\websso\certs\contoso.cer")  
  
set commonCnXform = CreateObject("System.Web.Security.SingleSignOn.CommonNameClaimTransform")  
commonCnXform.PassThroughCommonName = true  
trSample.ClaimTransformation.CommonNameClaimTransformation = commonCnXform  
  
trSample.ClaimTransformation.UpnSuffixValidationTransform.SuffixList.Add("vtestdom.nttest.sample.com")  
trSample.ClaimTransformation.EmailSuffixValidationTransform.SuffixList.Add("vtestdom.nttest.sample.com")  
  
trSample.ClaimTransformation.GroupTransformations.Add(cf.CreateGroupClaimTransform(crPurchaseAgent, "PurchasingAgent"))  
trSample.ClaimTransformation.GroupTransformations.Add(cf.CreateGroupClaimTransform(crAuditor, "Auditor"))  
  
trSample.ClaimTransformation.CustomClaimTransformations.Add(cf.CreateCustomClaimTransform(ccPurchaseLimit, "PurchaseLimit"))  
  
'  
' Trusting Realms  
'  
'  
' - Sample  
'  
set trTrusting = tp.NewTrustingRealm("urn:federation:trey research", _   
    "Trey Research", _   
    "https://trey/ls/")   
  
set commonSuffixXform = CreateObject("System.Web.Security.SingleSignOn.NameSuffixTransform")  
commonSuffixXform.Suffix = "vtestdom.nttest.microsoft.com"  
set commonCnXform = CreateObject("System.Web.Security.SingleSignOn.CommonNameClaimTransform")  
commonCnXform.PassThroughCommonName = true  
  
trTrusting.ClaimTransformation.UpnSuffixTransformation = commonSuffixXform  
trTrusting.ClaimTransformation.EmailSuffixTransformation = commonSuffixXform  
trTrusting.ClaimTransformation.CommonNameClaimTransformation = commonCnXform  
  
trTrusting.ClaimTransformation.GroupTransformations.Add(cf.CreateGroupClaimTransform(crPurchaseAgent, "PurchasingAgent"))  
trTrusting.ClaimTransformation.GroupTransformations.Add(cf.CreateGroupClaimTransform(crAuditor, "Auditor"))  
  
trTrusting.ClaimTransformation.CustomClaimTransformations.Add(cf.CreateCustomClaimTransform(ccPurchaseLimit, "PurchaseLimit"))  
  
'  
' Applications  
'  
set app = tp.NewTrustingApplication("https://contoso", "SharePoint App")  
'  
' Claim Xform for App  
'  
app.ClaimTransformation.ClaimFilteringTransformation.AllowUpnClaim = true  
  
set app = tp.NewTrustingApplication("https://contoso/simpleapp/simpleapp.aspx", "Simple App")  
'  
' Claim Xform for App  
'  
app.ClaimTransformation.ClaimFilteringTransformation.AllowUpnClaim = true  
app.ClaimTransformation.ClaimFilteringTransformation.AllowEmailClaim = true  
app.ClaimTransformation.ClaimFilteringTransformation.AllowCommonNameClaim = true  
app.ClaimTransformation.ClaimFilteringTransformation.AllowedGroupClaimUuids.Add(crPurchaseAgent)  
app.ClaimTransformation.ClaimFilteringTransformation.AllowedGroupClaimUuids.Add(crAuditor)  
app.ClaimTransformation.ClaimFilteringTransformation.AllowedCustomClaimUuids.Add(ccPurchaseLimit)  
  
WScript.StdOut.WriteLine("Outputting Trust Policy to SampleTrustPolicy.xml")  
tp.Write("SampleTrustPolicy.xml")  

Configure an Account Partner Federation Server

This script generates a Trust Policy file. It shows how to configure an account partner Federation server. Conventionally an account partner FS has an AD store, an optional Adam store and configuration information for one or more Resource partners.

Throughout this script, the name "adatumsts" represents a account partner and the name "treysts" represents a resource partner.

This script takes the following parameters:

  1. The path to this FS's token signing certificate. You will need to have this certificate with private key in the Local Computer store for token signing to work.

  2. The path of the LS client authentication certificate. This certificate is used by FS-Proxy to communicate with FS. This certificate need not be present in the certificate store of the FS computer.

  3. The location (with the file name) where this trustpolicy file will be created. Give the complete path with the name of the file.

  
Option Explicit  
  
Dim ArgObj, tokenSignCert, proxyCert, OutPath  
Set ArgObj=WScript.Arguments  
If ArgObj.Count <> 3 Then  
    WScript.StdErr.WriteLine("Usage: accountPartnerFS.vbs tokenSignCert proxyCert OutputFilePath")  
    WScript.Quit()  
Else  
    tokenSignCert = ArgObj.Item(0)   
    proxyCert = ArgObj.Item(1)   
    OutPath = ArgObj.Item(2)  
End If  
  
Dim trustPolicyObj        ' Trust policy factory  
Dim claimsObj        ' Claim Factory  
Dim trustPolicy        ' TrustPolicy  
  
Dim corpGrpFormSubmitter, corpGrpFormApprover        ' Corporate Groups  
Dim corpCustomPosition        'Corporate Custom Claims  
  
Dim trustingRealmTrey  
  
Dim adGroup1, adGroup2  
  
Dim commonSuffixXform, commonCNXform  
  
' Create Objects/Factory  
set trustPolicyObj = CreateObject("System.Web.Security.SingleSignOn.TrustPolicyFactory")  
set claimsObj = CreateObject("System.Web.Security.SingleSignOn.ClaimFactory")  
  
' Create the TrustPolicy. This instance is used to configure the   
' trustpolicy file.  
set trustPolicy = trustPolicyObj.CreateNewTrustPolicy(True,CheckChainExcludeRoot) ' initialize certs  
trustPolicy.CookiePath="/adfs/ls"  
  
' Hosted realm attributes  
' This is the FS's URI. All FS's (one or more in case of a farm   
' scenario where many FS's share a trustpolicy file) using this   
' trustpolicy file should have unique URI.  
trustPolicy.TrustPolicyEntryUri = "urn:federation:adatum"  
  
' This is the Federation Service Endpoint URL.   
trustPolicy.LsUrl = "https://ADATUMSTS/adfs/ls/"  
  
' This is the certificate that will be used by this FS for verifying   
' its own cookies.  
trustPolicy.VerificationMethod.AddNewTrustedCertificate(tokenSignCert)  
  
' This is certificate that is used in SSL authentication when a  
' FS-Proxy talks to this FS.  
trustPolicy.AddLSClientCertificate(proxyCert)  
  
' Define Corporate Groups. Please read documentation to understand the   
' concept of corporate claims.  
set corpGrpFormSubmitter = claimsObj.CreateGroup("Employee")  
trustPolicy.CorporateClaims.GroupClaims.Add(corpGrpFormSubmitter)  
set corpGrpFormApprover = claimsObj.CreateGroup("Manager")  
trustPolicy.CorporateClaims.GroupClaims.Add(corpGrpFormApprover)  
  
' Define Corporate Custom Claims. A custom claim is a name-value pair   
' entity.  
set corpCustomPosition = claimsObj.CreateCustom("Position")  
trustPolicy.CorporateClaims.CustomClaims.Add(corpCustomPosition)  
  
' Active Directory Store. This is the AD store of the domain to which   
' this computer is joined.  
trustPolicy.TrustedAccountStores.NewActiveDirectoryStore()  
trustPolicy.TrustedAccountStores.ActiveDirectory.TrustEntryDisplayName = "AD Store"  
  
' Active Directory Group Claims Population. Here we are mapping   
' corporate group claims (created above) to AD groups.  
set adGroup1 = claimsObj.CreateADGroupGeneration(corpGrpFormSubmitter)  
adGroup1.Sids.Add("S-1-1-0")  
trustPolicy.TrustedAccountStores.ActiveDirectory.GroupGenerations.Add(adGroup1)  
  
set adGroup2 = claimsObj.CreateADGroupGeneration(corpGrpFormApprover)  
adGroup2.Sids.Add("S-1-5-11")  
trustPolicy.TrustedAccountStores.ActiveDirectory.GroupGenerations.Add(adGroup2)  
  
' Active Directory LDAP Claims. Mapping corporate claims to AD user   
' account's attributes.  
trustPolicy.TrustedAccountStores.ActiveDirectory.CreateLdapDirectory()  
trustPolicy.TrustedAccountStores.ActiveDirectory.LdapDirectory.LdapClaimGeneration.EmailAttribute = "mail"  
trustPolicy.TrustedAccountStores.ActiveDirectory.LdapDirectory.LdapClaimGeneration.CommonNameAttribute = "displayName"  
trustPolicy.TrustedAccountStores.ActiveDirectory.LdapDirectory.LdapClaimGeneration.CustomClaimLdapAttributes.Add(claimsObj.CreateCustomClaimLdapAttribute(corpCustomPosition, "Title"))  
  
' Configuring an ADAM Store  
set AdamStore = trustPolicy.TrustedAccountStores.NewAdamAccountStore("urn:federation:adam", _  
    "ADAM Store", _  
    "adatumadam", _  
    "DC=adatum,DC=com", _  
    389, _  
    "userPrincipalName")  
  
' ADAM LDAP Claims. Mapping corporate claims to ADAM store user   
' account's attributes.  
AdamStore.LdapClaimGeneration.UPNAttribute = "userPrincipalName"  
AdamStore.LdapClaimGeneration.EmailAttribute = "mail"  
AdamStore.LdapClaimGeneration.CommonNameAttribute = "displayName"  
  
' ADAM Group Claims Population. This is tricky. Please read   
' corresponding section in documentation to understand what is going   
' on here. Too much to explain in the script.  
AdamStore.LdapClaimGeneration.GroupLdapAttributes.Add(claimsObj.CreateGroupLdapAttribute(corpGrpFormSubmitter, _  
    "memberOf", _  
    "CN=ADAMTestGroup1,CN=Users,DC=adatum,DC=com"))  
AdamStore.LdapClaimGeneration.GroupLdapAttributes.Add(claimsObj.CreateGroupLdapAttribute(corpGrpFormApprover, _  
    "memberOf", _  
    "CN=ADAMTestGroup2,CN=Users,DC=adatum,DC=com"))  
AdamStore.LdapClaimGeneration.CustomClaimLdapAttributes.Add(claimsObj.CreateCustomClaimLdapAttribute(corpCustomPosition, "title"))  
  
' Trusting Realms. Configuring a resource partner for this FS. A   
' resource partner hosts web applications that the account partner's  
' users can utilize.  
' Resource partner consumes SAML tokens generated by the account   
' partner.  
set trustingRealmTrey = trustPolicy.NewTrustingRealm("urn:federation:trey research", _  
    "Trey Research", _  
    "https://TREYSTS/adfs/ls/")  
  
' This instance is used to set a standard suffix for the UPN or the   
' Email claim that is sent in a SAML token to the resource partner.  
' The idea here is that your internal upn/email may be   
' user1@ntdev.windows.stb.microsoft.com but when a SAML token is sent   
' to the resource partner you want your upn/email to look like:   
' user1@microsoft.com.  
' Similarly here we are replacing suffix of both upn and email with   
' "adatum.com".  
set commonSuffixXform = CreateObject("System.Web.Security.SingleSignOn.NameSuffixTransform")  
commonSuffixXform.Suffix = "adatum.com"  
  
' Explicitly allowing corporate common name claim to be passed to the   
' resource partner.  
set commonCNXform = CreateObject("System.Web.Security.SingleSignOn.CommonNameClaimTransform")  
commonCNXform.PassThroughCommonName = false  
  
' Applying the suffix replacement rule to both UPN claim as well as   
' Email claim.  
trustingRealmTrey.ClaimTransformation.UpnSuffixTransformation = commonSuffixXform  
trustingRealmTrey.ClaimTransformation.EmailSuffixTransformation = commonSuffixXform  
trustingRealmTrey.ClaimTransformation.CommonNameClaimTransformation = commonCnXform  
  
' Mapping corporate group claims to outgoing group claims. This means   
' corporate group claim: Employee (defined above) will be named   
' ClaimSubmitter in the SAML token that is sent to the resource   
' partner.  
' Similarly corporate group claim: Manager will be named as  
' ClaimApprover in the SAML token that is sent to the resource partner.  
trustingRealmTrey.ClaimTransformation.GroupTransformations.Add(claimsObj.CreateGroupClaimTransform(corpGrpFormSubmitter,"ClaimSubmitter"))  
trustingRealmTrey.ClaimTransformation.GroupTransformations.Add(claimsObj.CreateGroupClaimTransform(corpGrpFormApprover, "ClaimApprover"))  
  
' Mapping corporate custom claim to outgoing custom claim.  
' This means corporate custom claim: Position (defined above) will be   
' named ClaimApprover in the SAML token that is sent to the resource   
' partner.  
trustingRealmTrey.ClaimTransformation.CustomClaimTransformations.Add(claimsObj.CreateCustomClaimTransform(corpCustomPosition, "Occupation"))  
  
' We are done with our configuration. Writing the trustpolicy file.  
trustPolicy.Write(OutPath)  

Configure a Resource Partner Federation Server

This script generates a Trust Policy file. It shows how to configure a resource partner Federation Server. Conventionally a resource partner has information for one or more account partners and one or more trusting web applications configured in it.

Throughout this script, the name "adatumsts" represents an account partner and the name "treysts" represents a resource partner.

This script takes the following parameters:

  1. The path to this FS's token signing certificate. You will need to have this cert with private key in the Local Computer store for token signing to work.

  2. The path of the LS client authentication certificate. This certificate is used by FS-Proxy to communicate with FS. This certificate need not be present in the certificate store of the FS computer.

  3. The location (with the file name) where this trustpolicy file will be created. Give the complete path with the name of the file.

  
Option Explicit  
  
Dim ArgObj, tokenSignCert, proxyCert, fsaTokenVerificationCert, OutPath  
Set ArgObj=WScript.Arguments  
If ArgObj.Count <> 4 Then  
    WScript.StdErr.WriteLine("Usage: resourcePartnerFS.vbs tokenSignCert proxyCert fsaTokenVerificationCert OutputFilePath")  
    WScript.Quit()  
Else  
    tokenSignCert = ArgObj.Item(0)   
    proxyCert = ArgObj.Item(1)   
    fsaTokenVerificationCert = ArgObj.Item(2)   
    OutPath = ArgObj.Item(3)  
End If  
  
Dim trustPolicyObj        ' Trust policy factory  
Dim claimsObj        ' Claim Factory  
Dim trustPolicy        ' TrustPolicy  
  
Dim corpGrpFormSubmitter, corpGrpFormApprover    ' Corporate Groups  
Dim corpCustomPosition    ' Corporate Custom Claims  
  
Dim trustedRealmAdatum    ' TrustedRealms  
  
Dim app1,app2    ' TrustingApplications  
  
Dim commonCNXform  
  
' Create Objects/Factory  
set trustPolicyObj = CreateObject("System.Web.Security.SingleSignOn.TrustPolicyFactory")  
set claimsObj = CreateObject("System.Web.Security.SingleSignOn.ClaimFactory")  
  
' Create the TrustPolicy. This instance is used to configure the   
' trustpolicy file.  
set trustPolicy = trustPolicyObj.CreateNewTrustPolicy(True,CheckChainExcludeRoot) ' initialize certs  
trustPolicy.CookiePath="/adfs/ls"  
  
' Hosted realm attributes  
  
' This is the FS's URI. All FS's (one or more in case of a farm   
' scenario where many FS's share a trustpolicy file) using this   
' trustpolicy file should have unique URI.  
trustPolicy.TrustPolicyEntryUri = "urn:federation:trey research"  
  
'This is Federation Service Endpoint URL.  
trustPolicy.LsUrl = "https://TREYSTS/adfs/ls/"  
  
' This is the certificate that will be used by this FS for verifying   
' it's own cookies.  
trustPolicy.VerificationMethod.AddNewTrustedCertificate(tokenSignCert)  
  
' This is certificate that is used in SSL authentication when a   
' FS-Proxy talks to this FS.  
trustPolicy.AddLSClientCertificate(proxyCert)  
  
' Define Corporate Groups. Please read documentation to understand the   
' concept of corporate claims.  
set corpGrpFormSubmitter = claimsObj.CreateGroup("Form Submitter")  
trustPolicy.CorporateClaims.GroupClaims.Add(corpGrpFormSubmitter)  
set corpGrpFormApprover = claimsObj.CreateGroup("Form Approver")  
trustPolicy.CorporateClaims.GroupClaims.Add(corpGrpFormApprover)  
  
' Define Corporate Custom Claims. A custom claim is a name-value pair   
' entity.  
set corpCustomPosition = claimsObj.CreateCustom("Profession")  
trustPolicy.CorporateClaims.CustomClaims.Add(corpCustomPosition)  
  
' Trusted Realms. This is configuration information for an account   
' partner FS.  
set trustedRealmAdatum = trustPolicy.NewTrustedRealm("urn:federation:adatum", _  
    "ADATUM", _  
    "https://ADATUMSTS/adfs/ls/", _  
    CheckChainExcludeRoot)  
trustedRealmAdatum.VerificationMethod.AddNewTrustedCertificate(fsaTokenVerificationCert)  
  
set commonCNXform = CreateObject("System.Web.Security.SingleSignOn.CommonNameClaimTransform")  
commonCNXform.PassThroughCommonName = true  
  
trustedRealmAdatum.ClaimTransformation.CommonNameClaimTransformation = commonCNXform  
  
' FS will check that a UPN that comes in the SAML token from the   
' account partner has this suffix. If the suffix does not match   
' then the token will be rejected by the FS. However in case of   
' successful Group-To-UPN mapping this rule will be ignored.  
trustedRealmAdatum.ClaimTransformation.UpnSuffixValidationTransform.SuffixList.Add("adatum.com")  
  
' Similarly if Email claim is the primary identity claim in the token   
' and the email suffix does not match then FS will reject this token.   
' However in case of successful Group-To-UPN mapping this rule will be   
' ignored.  
trustedRealmAdatum.ClaimTransformation.EmailSuffixValidationTransform.SuffixList.Add("adatum.com")  
  
' Mapping incoming group claims to corporate group claims. Mapping   
' group claim ClaimSubmitter (sent in the token by the account partner)   
' to corporate group claim: Form Submitter  
trustedRealmAdatum.ClaimTransformation.GroupTransformations.Add(claimsObj.CreateGroupClaimTransform(corpGrpFormSubmitter, "ClaimSubmitter"))  
  
' Similarly mapping group claim ClaimApprover(sent in the token by the   
' account partner) to corporate group claim: Form Approver.  
trustedRealmAdatum.ClaimTransformation.GroupTransformations.Add(claimsObj.CreateGroupClaimTransform(corpGrpFormApprover, "ClaimApprover"))  
  
' Mapping incoming custom claim to corporate custom claim. Mapping   
' custom claim Occupation (sent in the token by the account partner)   
' to corporate custom claim: Profession.  
trustedRealmAdatum.ClaimTransformation.CustomClaimTransformations.Add(claimsObj.CreateCustomClaimTransform(corpCustomPosition, "Occupation"))  
  
' Doing Group to UPN claim transformation. Please read documentation to   
' understand the concept of Group-To-UPN transformation.  
trustedRealmAdatum.ClaimTransformation.GroupToUpnClaimTransformations.Add(claimsObj.CreateGroupToUpnClaimTransform("ClaimApprover","approver@trey.com"))  
trustedRealmAdatum.ClaimTransformation.GroupToUpnClaimTransformations.Add(claimsObj.CreateGroupToUpnClaimTransform("ClaimSubmitter","submitter@trey.com"))  
  
'Configuring a claims aware trusting web application.  
set app1 = trustPolicy.NewTrustingApplication("https://WebAppMachine/simpleapp/", "Sample Claims aware web application")  
app1.IsWindowsRealm = false  
  
' Here we specify which corporate claims are configured to be passed to   
' this web app.  
app1.ClaimTransformation.ClaimFilteringTransformation.AllowUpnClaim = true  
app1.ClaimTransformation.ClaimFilteringTransformation.AllowEmailClaim = true  
app1.ClaimTransformation.ClaimFilteringTransformation.AllowCommonNameClaim = true  
app1.ClaimTransformation.ClaimFilteringTransformation.AllowedGroupClaimUuids.Add(corpGrpFormSubmitter)  
app1.ClaimTransformation.ClaimFilteringTransformation.AllowedGroupClaimUuids.Add(corpGrpFormApprover)  
app1.ClaimTransformation.ClaimFilteringTransformation.AllowedCustomClaimUuids.Add(corpCustomPosition)  
  
'Configuring a traditional ASP web application.  
set app2 = trustPolicy.NewTrustingApplication("https://WebAppMachine/nttokenapp/", "Sample NT token web application")  
app2.IsWindowsRealm = true  
app2.ClaimTransformation.ClaimFilteringTransformation.AllowUpnClaim = true  
app2.ClaimTransformation.ClaimFilteringTransformation.AllowEmailClaim = true  
app2.ClaimTransformation.ClaimFilteringTransformation.AllowCommonNameClaim = true  
app2.ClaimTransformation.ClaimFilteringTransformation.AllowedGroupClaimUuids.Add(corpGrpFormSubmitter)  
app2.ClaimTransformation.ClaimFilteringTransformation.AllowedGroupClaimUuids.Add(corpGrpFormApprover)  
app2.ClaimTransformation.ClaimFilteringTransformation.AllowedCustomClaimUuids.Add(corpCustomPosition)  
  
' We are done with our configuration. Writing the trustpolicy file.  
trustPolicy.Write(OutPath)  

Add ADAM Account Stores to a Trust Policy File

This script adds ADAM Account Stores to a Trust Policy file.

It takes the following parameters:

  1. The Trust Policy file to modify.

  2. The number of ADAM Account Stores to add.

  3. The new Trust Policy file to create.

Dim args, urnname, dispname  
Dim tpFactory, tpFile, tp, outFile  
Dim port  
Set args=WScript.Arguments  
  
If args.Count <> 3 Then  
    WScript.Echo("This script adds ADAM Account Stores to a Trust Policy file.")  
    WScript.Echo("")  
    WScript.Echo("Parameters: {input file} {quantity} {output file}")  
    WScript.Quit()  
Else  
    tpFile = args.Item(0)  
    qty = args.Item(1)  
    outFile = args.Item(2)  
End If  
  
' Create Objects/Factory  
set tpFactory = CreateObject("System.Web.Security.SingleSignOn.TrustPolicyFactory")  
  
' Open the TrustPolicy  
set tp = tpFactory.Load(tpFile, true) ' initialize certs  
if (tp = null) Then  
    WScript.Echo("Error loading Trust Policy file")  
    WScript.Quit()  
End If  
  
' Create ADAM Account Stores  
For i=1 To qty  
    urnname = "urn:federation:adam-" & i  
    dispname = "ADAM Store #" & i  
    port = 389 + i   
  
    set AdamStore = tp.TrustedAccountStores.NewAdamAccountStore( _  
        urnname, dispname, "adatumadam", "DC=adatum,DC=com", port, "userPrincipalName")  
  
    ' ADAM LDAP Claims                                                              
    AdamStore.LdapClaimGeneration.UPNAttribute = "userPrincipalName"  
    AdamStore.LdapClaimGeneration.EmailAttribute = "mail"  
    AdamStore.LdapClaimGeneration.CommonNameAttribute = "displayName"  
Next  
  
tp.Write(outFile)  

Add Resource Partners to a Trust Policy File

This script adds resource partners to a Trust Policy file.

It takes the following parameters:

  1. The Trust Policy file to modify.

  2. The number of resource partners to add.

  3. The new Trust Policy file to create.

Dim args, urnname, dispname, res  
Dim tpFactory, tpFile, tp, outFile  
  
Set args=WScript.Arguments  
  
If args.Count <> 3 Then  
    WScript.Echo("This script adds Resource Partners to a Trust Policy file.")  
    WScript.Echo("")  
    WScript.Echo("Parameters: {input file} {quantity} {output file}")  
    WScript.Quit()  
Else  
    tpFile = args.Item(0)  
    qty = args.Item(1)  
    outFile = args.Item(2)  
End If  
  
' Create Objects/Factory  
set tpFactory = CreateObject("System.Web.Security.SingleSignOn.TrustPolicyFactory")  
  
' Open the TrustPolicy  
set tp = tpFactory.Load(tpFile, true) ' initialize certs  
if (tp = null) Then  
    WScript.Echo("Error loading Trust Policy file")  
    WScript.Quit()  
End If  
  
' Create Resource Partners  
For i=0 To qty-1  
    urnname = "urn:federation:adfsstrs_rp_" & i  
    dispname = "Resource #" & i  
    set res = tp.NewTrustingRealm(urnname, dispname, "https://adfsstrs_rp_" & i & "/adfs/ls/ClientLogon.aspx")  
  
    ' Resource Partner Claims   
    res.ClaimTransformation.UpnSuffixTransformation.Suffix = "adfsstrs_rp_" & i & ".com"  
    res.ClaimTransformation.EmailSuffixTransformation.Suffix = "adfsstrs_rp_" & i & ".com"  
Next  
  
tp.Write(outFile)  

Modify Realm Cookie Lifetime

The following script modifies a Trust Policy file by changing the realm cookie lifetime that is written by the resource Federation Server to a persistent cookie.

It takes the following parameters:

  1. The Trust Policy file to modify.

  2. The new realm cookie lifetime in days.

' VBScript source code  
  
Option Explicit  
  
Dim tpf ' Trust policy factory  
Dim tp ' TrustPolicy  
Dim filename ' Trust policy filename  
Dim lifetime ' Realm lifetime in days  
Dim args  
  
Set args=WScript.Arguments  
  
if args.Count < 2 then  
    WScript.Echo("Must specify Trust Policy file and realm cookie lifetime in days")  
    WScript.Quit  
end if  
  
filename = args.Item(0)  
lifetime = CInt(args.Item(1))  
  
'  
' Create factory  
'  
set tpf = CreateObject("System.Web.Security.SingleSignOn.TrustPolicyFactory")  
  
'  
' Create the TrustPolicy  
'  
set tp = tpf.Load(filename, False) ' filename, don't initialize certs  
  
'  
' Hosted realm attributes  
'  
tp.RealmCookieLifetimeInDays = lifetime  
  
tp.Write(filename)  
  
WScript.Echo(filename & " has been updated for a realm cookie lifetime of " & lifetime & " days.")  

Modify Revocation Check Settings

This script modifies a Trust Policy file by changing the revocation checking behavior used by ADFS to validate tokens. The revocation flags include:

  • How the FS validates its own tokens and how the web applications validate tokens issued by the FS-R (configured on this Federation Service)

  • How the FS-R validates tokens from each different FS-A (configured on the Account partner)

This script takes the following parameters:

  1. The full path to the Trust Policy file.

  2. The URI of the trust realm whose setting to change.

  3. A revocation flag that must be one of the following:

    • None

    • CheckEndCert

    • CheckEndCertCacheOnly

    • CheckChain

    • CheckChainCacheOnly

    • CheckChainExcludeRoot

    • CheckChainExcludeRootCacheOnly

Option Explicit  
  
Dim tpf ' Trust policy factory  
Dim cf ' Claim Factory  
  
Dim tpFileName ' Trust policy file name  
Dim trUri ' TrustRealm Uri  
Dim revFlagsStr ' RevocationFlags enum in string form  
  
Dim tp ' TrustPolicy  
Dim tr ' TrustedRealm  
Dim revFlags' RevocationFlags enum  
Dim found ' Did we find the realm in the Trust Policy?  
  
'----------------------------------------  
' Echo usage.  
'----------------------------------------  
Sub Usage()  
    WScript.StdErr.WriteLine("Usage:")  
    WScript.StdErr.WriteLine("TpCrlChk.vbs TrustPolicy.xml TrustRealmUri RevocationFlags")  
    WScript.Quit  
End Sub  
  
'----------------------------------------  
' Fetch the RevocationFlags enum value.  
'----------------------------------------  
Function GetRevFlags(revFlagsStr)  
    If (revFlagsStr = "None") Then  
        GetRevFlags = 0  
    ElseIf (revFlagsStr = "CheckEndCert") Then  
        GetRevFlags = 1  
    ElseIf (revFlagsStr = "CheckEndCertCacheOnly") Then  
        GetRevFlags = 2  
    ElseIf (revFlagsStr = "CheckChain") Then  
        GetRevFlags = 3  
    ElseIf (revFlagsStr = "CheckChainCacheOnly") Then  
        GetRevFlags = 4  
    ElseIf (revFlagsStr = "CheckChainExcludeRoot") Then  
        GetRevFlags = 5  
    ElseIf (revFlagsStr = "CheckChainExcludeRootCacheOnly") Then  
        GetRevFlags = 6  
    Else  
        Call Usage()  
    End If  
End Function  
  
'----------------------------------------  
' Get the parameters.  
'----------------------------------------  
  
Dim ArgObj  
Set ArgObj = WScript.Arguments  
  
If (ArgObj.Count < 3) Then  
    Call Usage()  
End If  
  
tpFileName = ArgObj.Item (0)  
trUri = ArgObj.Item(1)  
revFlags = GetRevFlags(ArgObj.Item(2))  
  
'----------------------------------------  
' Do the job.  
'----------------------------------------  
  
WScript.StdOut.WriteLine("Loading Trust Policy: " & tpFileName)  
  
'  
' Create factories  
'  
Set tpf = CreateObject("System.Web.Security.SingleSignOn.TrustPolicyFactory")  
Set cf = CreateObject("System.Web.Security.SingleSignOn.ClaimFactory")  
  
'  
' Load the TrustPolicy  
'  
Set tp = tpf.Load(tpFileName, 0) ' initialize certs = false  
  
'  
' Find the realm and set the revocation flags  
'  
found = 0  
If (tp.TrustPolicyEntryUri = trUri) Then  
    '  
    ' Hosted realm attributes  
    '  
    WScript.StdOut.WriteLine("Changing the setting for this Federation service: " & trUri)  
    found = 1  
    tp.VerificationMethod.RevocationCheckFlags = revFlags  
Else  
    '  
    ' Trusted Realms  
    '  
    For Each tr in tp.TrustedRealms  
        If (tr.TrustPolicyEntryUri = trUri) Then  
            WScript.StdOut.WriteLine("Changing the setting for this Account partner: " & trUri)  
            found = 1  
            tr.VerificationMethod.RevocationCheckFlags = revFlags  
            Exit For 'since the Uri is unique  
        End If  
    Next  
  
    If (found = 0) Then  
        WScript.StdErr.WriteLine("Error: " & trUri & " is neither this Federation Service nor an Account partner.")  
        WScript.Quit  
    End If  
End If  
  
'----------------------------------------  
' Save the TrustPolicy  
'----------------------------------------  
WScript.StdOut.Write("Saving changed Trust Policy...")  
  
tp.Write(tpFileName)  
  
WScript.StdOut.WriteLine("Done.")  

Community Additions

ADD
Show: