locked
Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp –AdditionalAuthenticationRules Fails with Unexpected Output RRS feed

  • Question

  • I am trying to setup a AdditionalAuthenticationRule on my ADFS 3.0 to exclude users from MFA.

    Set-AdfsRelyingPartyTrust –TargetRelyingParty "Microsoft Office 365 Identity Platform" –AdditionalAuthenticationRules 'exists([Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value == "ALLOWED GROUP SID"]) && NOT exists([Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value == "EXCLUDE GROUP SID"]) => issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claim
    s/authenticationmethod”, Value = “http://schemas.microsoft.com/claims/multipleauthn” );'

    The command fails with below error

    Set-AdfsRelyingPartyTrust : POLICY0002: Could not parse policy data.
    Line number: 1, Column number: 16, Error token: “. Line: 'exists([Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value ==
    "Allowed Group SID"]) && NOT exists([Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value ==
    "Exclude Group Sid"]) => Issue (Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod”, Value =
    “http://schemas.microsoft.com/claims/multipleauthn” );'.
    Parser error: 'POLICY0029: Unexpected input.'
    At line:1 char:1
    + Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp –AdditionalAuthenticationRules ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (Microsoft.Ident...lyingPartyTrust:RelyingPartyTrust) [Set-AdfsRelyingPartyTrust], PolicyValidationException
        + FullyQualifiedErrorId : POLICY0002,Microsoft.IdentityServer.Management.Commands.SetRelyingPartyTrustCommand

    Any help will be greatly appreciated.

    Friday, September 8, 2017 8:09 AM

All replies

  • It's probably the format of the claims rule.

    When I copied the above directly into a claims rule, got an error.

    This worked - directly into the claims rule:

    exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "ALLOWED GROUP SID"])
     && NOT exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "EXCLUDE GROUP SID"])
     => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");

    Sunday, September 10, 2017 7:24 PM