Remove From My Forums

ADFS 2016 - New-AdfsAccessControlPolicy -PolicyMetadata Example

Question

Is there an Example for -Policymetadata paramenter of New-AdfsAccessControlPolicy cmdlet?

I didn't find one in the following ms docs

By running this commands...

$PolicyMetadata = @" 
RequireFreshAuthentication:False
IssuanceAuthorizationRules: 
{ 
 Permit users 
    with 'http://company.com/memberOf' claim contains 'adfs-allow' in the request;
} 
"@

New-AdfsAccessControlPolicy -Name app1_access -PolicyMetadata $PolicyMetadata

.. I get the following error message

New-AdfsAccessControlPolicy : Cannot bind parameter 'PolicyMetadata'. Cannot convert value "Permit users 
    with 'http://company.com/memberOf' claim contains 'adfs-yes' in the request;" to type 
"Microsoft.IdentityServer.PolicyModel.Configuration.PolicyTemplate.PolicyMetadata". Error: "There was an error deserializing the 
object of type Microsoft.IdentityServer.PolicyModel.Configuration.PolicyTemplate.PolicyMetadata. Data at the root level is invalid. 
Line 1, position 1."
At line:6 char:76
+ ... Name web3.extranet.sachsen.de -PolicyMetadata $PolicyMetadata -Whatif
+                                                   ~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [New-AdfsAccessControlPolicy], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.IdentityServer.Management.Commands.NewPolicyTemplateCommand

Monday, October 9, 2017 11:42 AM

Answers

1

Sign in to vote
I also did some research and wrote this up - refer ADFS : PowerShell cmdlet - parameter PolicyMetadata.
- Marked as answer by 1.FreddyD Wednesday, October 11, 2017 4:46 AM
Tuesday, October 10, 2017 8:09 PM

I've figured it out.

Here the steps for creating an AdfsAccessControlPolicy (ACP) via Powershell

1. Create a ACP via GUI for a template

2. get the PolicyMetadata XML content

(Get-AdfsAccessControlPolicy -name "Example Policy created in GUI").PolicyMetadata | Out-GridView -PassThru | Export-Csv -Path c:\adfs_acp.csv

3. Extract the needed xml-Data from c:\adfs_acp.csv

You only need the data between section <PolicyMetadata...> and </PolicyMetadata>. There are also some double '""' you have to find them and make them '"'.

in my case it was

<PolicyMetadata xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2012/04/ADFS">
  <RequireFreshAuthentication>false</RequireFreshAuthentication>
  <IssuanceAuthorizationRules>
    <Rule>
      <Conditions>
        <Condition i:type="SpecificClaimCondition">
          <ClaimType>http://schemas.xmlsoap.org/claims/Group</ClaimType>
          <Operator>StartsWith</Operator>
          <Values>
            <Value>Domain\\adfs-allowed</Value>
          </Values>
        </Condition>
      </Conditions>
    </Rule>
  </IssuanceAuthorizationRules>
</PolicyMetadata>

Here is the hole "script":

$PolicyMetadata = @" 
<PolicyMetadata xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2012/04/ADFS">
  <RequireFreshAuthentication>false</RequireFreshAuthentication>
  <IssuanceAuthorizationRules>
    <Rule>
      <Conditions>
        <Condition i:type="SpecificClaimCondition">
          <ClaimType>http://schemas.xmlsoap.org/claims/Group</ClaimType>
          <Operator>StartsWith</Operator>
          <Values>
            <Value>Domain\\adfs-allowed</Value>
          </Values>
        </Condition>
      </Conditions>
    </Rule>
  </IssuanceAuthorizationRules>
</PolicyMetadata>
"@

New-AdfsAccessControlPolicy -Name app1_access -PolicyMetadata $PolicyMetadata

Marked as answer by 1.FreddyD Tuesday, October 10, 2017 11:00 AM

Tuesday, October 10, 2017 10:59 AM

All replies

1

Sign in to vote

Do a:

Get-AdfsAccessControlPolicy

and compare formats.

One thing I note is that there is no ";"

Monday, October 9, 2017 6:34 PM

Hi nzpcmad1,

thanks for your reply!

If I run an "Get-AdfsAccessControlPolicy" I get:

Name           : Permit Specific Group from external Forest
Identifier     : SpecificgroupfromexternalForest
IsBuiltIn      : False
RpUsageCount   : 1
LastUpdateTime : 10/9/2017 3:34:00 PM
Description    :
PolicyMetadata : RequireFreshAuthentication:False
                 IssuanceAuthorizationRules:
                 {
                   Permit users
                     with 'http://schemas.xmlsoap.org/claims/Group' claim contains 'adfs-allowed' in the request
                 }
AssignedTo     : {sampapp}

so I edit my "script" like this:

$PolicyMetadata = @" 
RequireFreshAuthentication:False
IssuanceAuthorizationRules: 
{ 
 Permit users 
    with 'http://company.com/memberOf' claim contains 'adfs-allowed' in the request
} 
"@

New-AdfsAccessControlPolicy -Name app1_access -PolicyMetadata $PolicyMetadata

but I still get this error:

New-AdfsAccessControlPolicy : Cannot bind parameter 'PolicyMetadata'. Cannot convert value "RequireFreshAuthentication:False
IssuanceAuthorizationRules: 
{ 
 Permit users 
    with 'http://company.com/memberOf' claim contains 'adfs-allow' in the request
} " to type "Microsoft.IdentityServer.PolicyModel.Configuration.PolicyTemplate.PolicyMetadata". Error: "There was an error 
deserializing the object of type Microsoft.IdentityServer.PolicyModel.Configuration.PolicyTemplate.PolicyMetadata. Data at the root 
level is invalid. Line 1, position 1."
At line:10 char:63
+ ... AccessControlPolicy -Name app1_access -PolicyMetadata $PolicyMetadata
+                                                           ~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [New-AdfsAccessControlPolicy], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.IdentityServer.Management.Commands.NewPolicyTemplateCommand

Tuesday, October 10, 2017 8:07 AM

I've figured it out.

Here the steps for creating an AdfsAccessControlPolicy (ACP) via Powershell

1. Create a ACP via GUI for a template

2. get the PolicyMetadata XML content

(Get-AdfsAccessControlPolicy -name "Example Policy created in GUI").PolicyMetadata | Out-GridView -PassThru | Export-Csv -Path c:\adfs_acp.csv

3. Extract the needed xml-Data from c:\adfs_acp.csv

You only need the data between section <PolicyMetadata...> and </PolicyMetadata>. There are also some double '""' you have to find them and make them '"'.

in my case it was

<PolicyMetadata xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2012/04/ADFS">
  <RequireFreshAuthentication>false</RequireFreshAuthentication>
  <IssuanceAuthorizationRules>
    <Rule>
      <Conditions>
        <Condition i:type="SpecificClaimCondition">
          <ClaimType>http://schemas.xmlsoap.org/claims/Group</ClaimType>
          <Operator>StartsWith</Operator>
          <Values>
            <Value>Domain\\adfs-allowed</Value>
          </Values>
        </Condition>
      </Conditions>
    </Rule>
  </IssuanceAuthorizationRules>
</PolicyMetadata>

Here is the hole "script":

$PolicyMetadata = @" 
<PolicyMetadata xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2012/04/ADFS">
  <RequireFreshAuthentication>false</RequireFreshAuthentication>
  <IssuanceAuthorizationRules>
    <Rule>
      <Conditions>
        <Condition i:type="SpecificClaimCondition">
          <ClaimType>http://schemas.xmlsoap.org/claims/Group</ClaimType>
          <Operator>StartsWith</Operator>
          <Values>
            <Value>Domain\\adfs-allowed</Value>
          </Values>
        </Condition>
      </Conditions>
    </Rule>
  </IssuanceAuthorizationRules>
</PolicyMetadata>
"@

New-AdfsAccessControlPolicy -Name app1_access -PolicyMetadata $PolicyMetadata

Marked as answer by 1.FreddyD Tuesday, October 10, 2017 11:00 AM

Tuesday, October 10, 2017 10:59 AM

1

Sign in to vote
I also did some research and wrote this up - refer ADFS : PowerShell cmdlet - parameter PolicyMetadata.
- Marked as answer by 1.FreddyD Wednesday, October 11, 2017 4:46 AM
Tuesday, October 10, 2017 8:09 PM
0

Sign in to vote

Thanks!

Wednesday, October 11, 2017 4:49 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

ADFS 2016 - New-AdfsAccessControlPolicy -PolicyMetadata Example

Question

Answers

All replies