locked
Backup and Restore ADFS Relying Party RRS feed

  • Question

  • Hi. I would like to set up a DEV ADFS Farm (Server 2012R2), then have the ability to export each relying party as it is in production and add it to the DEV farm. I Have set up the new server for this purpose, have used the same certificates and same service account. (Prod is also 2012R2, and using WID)).   I just need the best way to export/import each relying party including all settings, certs, and claim rules. Can this be done? 

    One at a time will work, but a way to script all relying parties to be backed up and restored to the standalone dev farm would be ideal.  I understand that the actual federations would not work without DNS changes, this is more for testing and possibly having a future DR farm.

    Thanks in advance for any help!

    Friday, February 26, 2016 7:01 PM

Answers

  • Hi Allen,

    I'd go for the scripting route.  You already have your RPs working so I'd just walk thru and convert the claims rules into  custom claims rules so that you can then invoke them as scriptable items when building your DEV RP's.. here's an example:

    Add-ADFSRelyingPartyTrust -Name "My RP" -MetadataURL "https://myrp.adomain.com/uri/metadata.xml"
    Set-ADFSRelyingPartyTrust -TargetName 'My RP' -IssuanceTransformRulesFile .\myrp.txt 
    [string]$AuthZRule= '=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");'
    $ClaimRuleSet = New-ADFSClaimRuleSet -ClaimRule $AuthZRule
    Set-ADFSRelyingPartyTrust -TargetName "My RP" -IssuanceAuthorizationRules $claimRuleSet.ClaimRulesString
    
    MYRP.TXT
    --------
    @RuleName = "Transform "
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
    


    http://blog.auth360.net

    Monday, February 29, 2016 9:40 PM

All replies

  • Hi Allen,

    I'd go for the scripting route.  You already have your RPs working so I'd just walk thru and convert the claims rules into  custom claims rules so that you can then invoke them as scriptable items when building your DEV RP's.. here's an example:

    Add-ADFSRelyingPartyTrust -Name "My RP" -MetadataURL "https://myrp.adomain.com/uri/metadata.xml"
    Set-ADFSRelyingPartyTrust -TargetName 'My RP' -IssuanceTransformRulesFile .\myrp.txt 
    [string]$AuthZRule= '=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");'
    $ClaimRuleSet = New-ADFSClaimRuleSet -ClaimRule $AuthZRule
    Set-ADFSRelyingPartyTrust -TargetName "My RP" -IssuanceAuthorizationRules $claimRuleSet.ClaimRulesString
    
    MYRP.TXT
    --------
    @RuleName = "Transform "
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
    


    http://blog.auth360.net

    Monday, February 29, 2016 9:40 PM
  • Thanks for the response, I will give this a try!
    Thursday, March 3, 2016 3:20 PM