locked
Add additional claim rule in Issuance Authorization Rules RRS feed

  • Question

  • Hello,

    I try use powershell to add additional authorization claim rule for my existing relying party. Some of them already have some authorization rules.

    I try the following command, but fail:

    [String]$rules='@RuleTemplate = "Authorization" @RuleName = "<name>" c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "^(?i)<deny_group>$"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "DenyUsersWithClaim");'

    Set-ADFSRelyingPartyTrust –TargetName '<relying_party>' –IssuanceAuthorizationRules @{add=$rules}

    If i try with 

    Set-ADFSRelyingPartyTrust –TargetName '<relying_party>' –IssuanceAuthorizationRules $rules

    it work, but it will cover my existing authorization rules.

    Thanks.

     

    Wednesday, January 4, 2017 3:41 AM

Answers

  • Hi WinneLao,

    Here is how I would do it

    $rule='@RuleTemplate = "Authorization" @RuleName = "<name>" c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "^(?i)<deny_group>$"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "DenyUsersWithClaim");'
    
    $existingRule = get-adfsrelingpartytrust '<relying_party>' | select -expand IssuanceAuthorizationRules
    
    $rules = "$existingRule `n$rule"
    
    Set-ADFSRelyingPartyTrust –TargetName '<relying_party>' –IssuanceAuthorizationRules $rules

    Good Luck!

    Shane

    • Marked as answer by WinneLao Friday, January 6, 2017 1:54 AM
    Wednesday, January 4, 2017 10:11 PM

All replies

  • Hi WinneLao,

    Here is how I would do it

    $rule='@RuleTemplate = "Authorization" @RuleName = "<name>" c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "^(?i)<deny_group>$"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "DenyUsersWithClaim");'
    
    $existingRule = get-adfsrelingpartytrust '<relying_party>' | select -expand IssuanceAuthorizationRules
    
    $rules = "$existingRule `n$rule"
    
    Set-ADFSRelyingPartyTrust –TargetName '<relying_party>' –IssuanceAuthorizationRules $rules

    Good Luck!

    Shane

    • Marked as answer by WinneLao Friday, January 6, 2017 1:54 AM
    Wednesday, January 4, 2017 10:11 PM
  • It works, Thank you very much :)
    Friday, January 6, 2017 1:54 AM