locked
ADFS 2016 - New-AdfsAccessControlPolicy -PolicyMetadata Example RRS feed

  • Question

  • Is there an Example for -Policymetadata paramenter of New-AdfsAccessControlPolicy cmdlet?

    I didn't find one in the following ms docs

    new-adfsaccesscontrolpolicy

    By running this commands...

    $PolicyMetadata = @" 
    RequireFreshAuthentication:False
    IssuanceAuthorizationRules: 
    { 
     Permit users 
        with 'http://company.com/memberOf' claim contains 'adfs-allow' in the request;
    } 
    "@
    
    New-AdfsAccessControlPolicy -Name app1_access -PolicyMetadata $PolicyMetadata

    .. I get the following error message

    New-AdfsAccessControlPolicy : Cannot bind parameter 'PolicyMetadata'. Cannot convert value "Permit users 
        with 'http://company.com/memberOf' claim contains 'adfs-yes' in the request;" to type 
    "Microsoft.IdentityServer.PolicyModel.Configuration.PolicyTemplate.PolicyMetadata". Error: "There was an error deserializing the 
    object of type Microsoft.IdentityServer.PolicyModel.Configuration.PolicyTemplate.PolicyMetadata. Data at the root level is invalid. 
    Line 1, position 1."
    At line:6 char:76
    + ... Name web3.extranet.sachsen.de -PolicyMetadata $PolicyMetadata -Whatif
    +                                                   ~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (:) [New-AdfsAccessControlPolicy], ParameterBindingException
        + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.IdentityServer.Management.Commands.NewPolicyTemplateCommand


    Monday, October 9, 2017 11:42 AM

Answers

  • I also did some research and wrote this up - refer ADFS : PowerShell cmdlet - parameter PolicyMetadata.

    • Marked as answer by 1.FreddyD Wednesday, October 11, 2017 4:46 AM
    Tuesday, October 10, 2017 8:09 PM
  • I've figured it out.

    Here the steps for creating an AdfsAccessControlPolicy (ACP) via Powershell

    1. Create a ACP via GUI for a template

    2. get the PolicyMetadata XML content

    (Get-AdfsAccessControlPolicy -name "Example Policy created in GUI").PolicyMetadata | Out-GridView -PassThru | Export-Csv -Path c:\adfs_acp.csv

    3. Extract the needed xml-Data from c:\adfs_acp.csv

    You only need the data between section <PolicyMetadata...> and </PolicyMetadata>. There are also some double '""' you have to find them and make them '"'.

    in my case it was 

    <PolicyMetadata xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2012/04/ADFS">
      <RequireFreshAuthentication>false</RequireFreshAuthentication>
      <IssuanceAuthorizationRules>
        <Rule>
          <Conditions>
            <Condition i:type="SpecificClaimCondition">
              <ClaimType>http://schemas.xmlsoap.org/claims/Group</ClaimType>
              <Operator>StartsWith</Operator>
              <Values>
                <Value>Domain\\adfs-allowed</Value>
              </Values>
            </Condition>
          </Conditions>
        </Rule>
      </IssuanceAuthorizationRules>
    </PolicyMetadata>

    Here is the hole "script":

    $PolicyMetadata = @" 
    <PolicyMetadata xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2012/04/ADFS">
      <RequireFreshAuthentication>false</RequireFreshAuthentication>
      <IssuanceAuthorizationRules>
        <Rule>
          <Conditions>
            <Condition i:type="SpecificClaimCondition">
              <ClaimType>http://schemas.xmlsoap.org/claims/Group</ClaimType>
              <Operator>StartsWith</Operator>
              <Values>
                <Value>Domain\\adfs-allowed</Value>
              </Values>
            </Condition>
          </Conditions>
        </Rule>
      </IssuanceAuthorizationRules>
    </PolicyMetadata>
    "@
    
    New-AdfsAccessControlPolicy -Name app1_access -PolicyMetadata $PolicyMetadata

    • Marked as answer by 1.FreddyD Tuesday, October 10, 2017 11:00 AM
    Tuesday, October 10, 2017 10:59 AM

All replies

  • Do a:

    Get-AdfsAccessControlPolicy

    and compare formats.

    One thing I note is that there is no ";"

    Monday, October 9, 2017 6:34 PM
  • Hi nzpcmad1,

    thanks for your reply!

    If I run an "Get-AdfsAccessControlPolicy" I get:

    Name           : Permit Specific Group from external Forest
    Identifier     : SpecificgroupfromexternalForest
    IsBuiltIn      : False
    RpUsageCount   : 1
    LastUpdateTime : 10/9/2017 3:34:00 PM
    Description    :
    PolicyMetadata : RequireFreshAuthentication:False
                     IssuanceAuthorizationRules:
                     {
                       Permit users
                         with 'http://schemas.xmlsoap.org/claims/Group' claim contains 'adfs-allowed' in the request
                     }
    AssignedTo     : {sampapp}

    so I edit my "script" like this:

    $PolicyMetadata = @" 
    RequireFreshAuthentication:False
    IssuanceAuthorizationRules: 
    { 
     Permit users 
        with 'http://company.com/memberOf' claim contains 'adfs-allowed' in the request
    } 
    "@
    
    New-AdfsAccessControlPolicy -Name app1_access -PolicyMetadata $PolicyMetadata

    but I still get this error:

    New-AdfsAccessControlPolicy : Cannot bind parameter 'PolicyMetadata'. Cannot convert value "RequireFreshAuthentication:False
    IssuanceAuthorizationRules: 
    { 
     Permit users 
        with 'http://company.com/memberOf' claim contains 'adfs-allow' in the request
    } " to type "Microsoft.IdentityServer.PolicyModel.Configuration.PolicyTemplate.PolicyMetadata". Error: "There was an error 
    deserializing the object of type Microsoft.IdentityServer.PolicyModel.Configuration.PolicyTemplate.PolicyMetadata. Data at the root 
    level is invalid. Line 1, position 1."
    At line:10 char:63
    + ... AccessControlPolicy -Name app1_access -PolicyMetadata $PolicyMetadata
    +                                                           ~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (:) [New-AdfsAccessControlPolicy], ParameterBindingException
        + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.IdentityServer.Management.Commands.NewPolicyTemplateCommand

    Tuesday, October 10, 2017 8:07 AM
  • I've figured it out.

    Here the steps for creating an AdfsAccessControlPolicy (ACP) via Powershell

    1. Create a ACP via GUI for a template

    2. get the PolicyMetadata XML content

    (Get-AdfsAccessControlPolicy -name "Example Policy created in GUI").PolicyMetadata | Out-GridView -PassThru | Export-Csv -Path c:\adfs_acp.csv

    3. Extract the needed xml-Data from c:\adfs_acp.csv

    You only need the data between section <PolicyMetadata...> and </PolicyMetadata>. There are also some double '""' you have to find them and make them '"'.

    in my case it was 

    <PolicyMetadata xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2012/04/ADFS">
      <RequireFreshAuthentication>false</RequireFreshAuthentication>
      <IssuanceAuthorizationRules>
        <Rule>
          <Conditions>
            <Condition i:type="SpecificClaimCondition">
              <ClaimType>http://schemas.xmlsoap.org/claims/Group</ClaimType>
              <Operator>StartsWith</Operator>
              <Values>
                <Value>Domain\\adfs-allowed</Value>
              </Values>
            </Condition>
          </Conditions>
        </Rule>
      </IssuanceAuthorizationRules>
    </PolicyMetadata>

    Here is the hole "script":

    $PolicyMetadata = @" 
    <PolicyMetadata xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2012/04/ADFS">
      <RequireFreshAuthentication>false</RequireFreshAuthentication>
      <IssuanceAuthorizationRules>
        <Rule>
          <Conditions>
            <Condition i:type="SpecificClaimCondition">
              <ClaimType>http://schemas.xmlsoap.org/claims/Group</ClaimType>
              <Operator>StartsWith</Operator>
              <Values>
                <Value>Domain\\adfs-allowed</Value>
              </Values>
            </Condition>
          </Conditions>
        </Rule>
      </IssuanceAuthorizationRules>
    </PolicyMetadata>
    "@
    
    New-AdfsAccessControlPolicy -Name app1_access -PolicyMetadata $PolicyMetadata

    • Marked as answer by 1.FreddyD Tuesday, October 10, 2017 11:00 AM
    Tuesday, October 10, 2017 10:59 AM
  • I also did some research and wrote this up - refer ADFS : PowerShell cmdlet - parameter PolicyMetadata.

    • Marked as answer by 1.FreddyD Wednesday, October 11, 2017 4:46 AM
    Tuesday, October 10, 2017 8:09 PM
  • Thanks! 
    Wednesday, October 11, 2017 4:49 AM