Sign in
Home
Library
Wiki
Learn
Gallery
Downloads
Support
Forums
Blogs
Resources For IT Professionals
United States (English)
Россия (Pусский)
中国(简体中文)
Brasil (Português)
Post an article
Translate this page
Powered by
Microsoft® Translator
Wikis - Page Details
First published by
Adam Conkle - MSFT
(Microsoft)
When:
3 Oct 2011 1:00 PM
Last revision by
Yagmoth555
(Microsoft Partner)
When:
19 Feb 2013 6:40 PM
Revisions:
3
Comments:
0
Options
Subscribe to Article (RSS)
Share this
Can You Improve This Article?
Positively!
Click Sign In to add the tip, solution, correction or comment that will help other users.
Report inappropriate content using
these instructions
.
Wiki
>
TechNet Articles
>
AD FS 2.0: How to Migrate Claim Rules Between Trusts
AD FS 2.0: How to Migrate Claim Rules Between Trusts
Article
History
AD FS 2.0: How to Migrate Claim Rules Between Trusts
Overview
This article demonstrates how to migrate claim rules from one trust in AD FS 2.0 to another trust in AD FS 2.0. This may be useful when you are creating multiple trust relationships which will utilize similar claim rules, or when you are migrating configuration data between test, staging, and production environments.
Steps
Migrating Claims Provider trust claim rules
Claims Provider trusts contain one type of claim rule:
Acceptance Transform Rules
- used to control how claims are accepted from a trusted Claims Provider
Export existing claim rules from a Claims Provider trust to file
1. Using the AD FS 2.0 MMC console, identify the Claims Provider trust name from which the claim rules will be exported
2. Launch an administrative Powershell window
3. Execute the following command to import the AD FS 2.0 Powershell snap-in:
Add-PsSnapin Microsoft.Adfs.Powershell
4. Execute the following command to export the
Acceptance Transform Rules
to file:
(Get-AdfsClaimsProviderTrust -Name "name-from-step-1").AcceptanceTransformRules | Out-File "C:\CP-name-from-step-1-Acceptance-Rules.txt"
*Note:
Replace "name-from-step-1" and "C:\CP-name-from-step-1-Acceptance-Rules.txt" to reflect the name of the Claims Provider trust you have chosen.
Import claim rules from file to a Claims Provider trust
1. Using the AD FS 2.0 MMC console, identify the Claims Provider trust name to which the claim rules will be imported
2. Launch and administrative Powershell window
3. Execute the following command to import the AD FS 2.0 Powershell snap-in:
Add-PsSnapin Microsoft.Adfs.Powershell
4. Execute the following command to import the
Acceptance Transform Rules
from file to the Claims Provider trust:
Set-AdfsClaimsProviderTrust -TargetName "name-from-step-1" -AcceptanceTransformRulesFile "C:\CP-name-from-step-1-Acceptance-Rules.txt"
*Note:
Replace "name-from-step-1" and "C:\CP-name-from-step-1-Acceptance-Rules.txt" to reflect the name of the Claims Provider trust you have chosen.
Migrating Relying Party trust claim rules
Relying Party trusts contain three types of claim rules:
Issuance Transform Rules
- used to control how claims are issued to a trusting Relying Party
Issuance Authorization Rules
- used to control access to a trusting Relying Party
Delegation Authorization Rules
- used to control authorization for identity delegation to a trusting Relying Party
Export existing claim rules from a Relying Party trust to file
1. Using the AD FS 2.0 MMC console, identify the Relying Party trust name from which the claim rules will be exported
2. Launch an administrative Powershell window
3. Execute the following command to import the AD FS 2.0 Powershell snap-in:
Add-PsSnapin Microsoft.Adfs.Powershell
4. Execute the following command to export the
Issuance Transform Rules
to file:
(Get-AdfsRelyingPartyTrust -Name "name-from-step-1").IssuanceTransformRules | Out-File "C:\RP-name-from-step-1-Issuance-Transform-Rules.txt"
*Note:
Replace "name-from-step-1" and "C:\RP-name-from-step-1-Issuance-Transform-Rules.txt" to reflect the name of the Relying Party trust you have chosen.
5. Execute the following command to export the
Issuance Authorization Rules
to file:
(Get-AdfsRelyingPartyTrust -Name "name-from-step-1").IssuanceAuthorizationRules | Out-File "C:\RP-name-from-step-1-Issuance-Authorization-Rules.txt"
*Note:
Replace "name-from-step-1" and "C:\RP-name-from-step-1-Issuance-Authorization-Rules.txt" to reflect the name of the Relying Party trust you have chosen.
6. Execute the following command to export the
Delegation Authorization Rules
to file:
(Get-AdfsRelyingPartyTrust -Name "name-from-step-1").DelegationAuthorizationRules | Out-File "C:\RP-name-from-step-1-Delegation-Authorization-Rules.txt"
*Note:
Replace "name-from-step-1" and "C:\RP-name-from-step-1-Delegation-Authorization-Rules.txt" to reflect the name of the Relying Party trust you have chosen.
Import claim rules from file to a Relying Party trust
1. Using the AD FS 2.0 MMC console, identify the Relying Party trust name to which the claim rules will be imported
2. Launch and administrative Powershell window
3. Execute the following command to import the AD FS 2.0 Powershell snap-in:
Add-PsSnapin Microsoft.Adfs.Powershell
4. Execute the following command to import the
Issuance Transform Rules
from file to the Relying Party trust:
Set-AdfsRelyingPartyTrust -TargetName "name-from-step-1" -IssuanceTransformRulesFile "C:\RP-name-from-step-1-Issuance-Transform-Rules.txt"
*Note:
Replace "name-from-step-1" and "C:\RP-name-from-step-1-Issuance-Transform-Rules.txt" to reflect the name of the Relying Party trust you have chosen.
5. Execute the following command to import the
Issuance Authorization Rules
from file to the Relying Party trust:
Set-AdfsRelyingPartyTrust -TargetName "name-from-step-1" -IssuanceAuthorizationRulesFile "C:\RP-name-from-step-1-Issuance-Authorization-Rules.txt"
*Note:
Replace "name-from-step-1" and "C:\RP-name-from-step-1-Issuance-Authorization-Rules.txt" to reflect the name of the Relying Party trust you have chosen.
6. Execute the following command to import the
Delegation Authorization Rules
from file to the Relying Party trust:
Set-AdfsRelyingPartyTrust -TargetName "name-from-step-1" -DelegationAuthorizationRulesFile "C:\RP-name-from-step-1-Delegation-Authorization-Rules.txt"
*Note:
Replace "name-from-step-1" and "C:\RP-name-from-step-1-Delegation-Authorization-Rules.txt" to reflect the name of the Relying Party trust you have chosen.
acceptance transform
,
acceptancetransformrules
,
acceptancetransformrulesfile
,
AD FS
,
AD FS 2.0
,
AD FS v2
,
adfs
,
ADFS 2.0
,
ADFS v2
,
claim rule language
,
claim rules
,
claims provider
,
CP
,
delegation authorization
,
delegationauthorizationrules
,
delegationauthorizationrulesfile
,
en-US
,
export
,
get-adfsclaimsprovidertrust
,
get-adfsrelyingpartytrust
,
import
,
issuance authorization
,
issuance transform
,
issuanceauthorizationrules
,
issuanceauthorizationrulesfile
,
issuancetransformrules
,
issuancetransformrulesfile
,
migrate
,
Migration
,
Move
,
PowerShell
,
relying party
,
rp
,
rules
,
set-adfsclaimsprovidertrust
,
set-adfsrelyingpartytrust
,
targetname
,
trust