ADFS PowerShell:使用 IssuanceTransformRules 中的 RuleTemplate 编写 Web API (Add-AdfsWebApiApplication) 脚本
ADFS PowerShell: Scripting Web API (Add-AdfsWebApiApplication) with RuleTemplate in IssuanceTransformRules
我已经使用 ADFS MMC 定义了一个 ADFS 应用程序组。我想创建一个部署脚本。我已经使用 New-AdfsApplicationGroup 和 Add-AdfsNativeClientApplication 成功编写了脚本。接下来我想编写 Web 脚本 API。查看 Get-AdfsWebApiApplication 的输出,我看到以下 IssuanceTransformRules。该规则已命名并引用了一个模板。
@RuleTemplate = "LdapClaims"
@RuleName = "2"
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query =
";mail,sAMAccountName,userPrincipalName;{0}", param = c.Value);
我将其编写为:
Add-AdfsWebApiApplication -Name "My Web API" -AllowedClientTypes 6 -ApplicationGroupIdentifier "MyApp" -IssueOAuthRefreshTokensTo 2 -TokenLifetime 7 -Identifier {https://apphost/myapp/api/} -IssuanceTransformRules '@RuleTemplate = "LdapClaims", @RuleName = "2", c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";mail,sAMAccountName,userPrincipalName;{0}", param = c.Value);'
这会导致以下错误。
Parser error: 'POLICY0030: Syntax error, unexpected COMMA, expecting
one of the following: O_SQ_BRACKET IDENTIFIER NOT AT IMPLY .' At
line:1 char:1
+ Add-AdfsWebApiApplication -Name "My Web API" -AllowedClientTypes ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo :InvalidData: (@RuleTemplate =...ram = c.Value);:String) [Add-AdfsWebApiApplication],
PolicyValidationException
+ FullyQualifiedErrorId: POLICY0002.Microsoft.IdentityServer.Management.Commands.Add-AdfsWebApiApplicationCommand
同时删除@RuleTemplate 和@RuleName,以下命令成功执行但生成了一个自定义规则,该规则无法使用为 LDAP 属性和传出声明类型提供下拉列表的图形模板进行编辑。
Add-AdfsWebApiApplication -Name "My Web API" -AllowedClientTypes 6 -ApplicationGroupIdentifier "MyApp" -IssueOAuthRefreshTokensTo 2 -TokenLifetime 7 -Identifier {https://apphost/myapp/api/} -IssuanceTransformRules 'c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";mail,sAMAccountName,userPrincipalName;{0}", param = c.Value);'
有人可以建议在脚本中包含名称或模板的方法吗?
如果您将转换声明数据包含在一个变量中,然后在您的 cmdlet 中引用变量会怎样?
$transformRules = @"
@RuleTemplate = "LdapClaims"
@RuleName = "2"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";mail,sAMAccountName,userPrincipalName;{0}", param = c.Value);
"@
Add-AdfsWebApiApplication -Name "My Web API" -AllowedClientTypes 6 -ApplicationGroupIdentifier "MyApp" -IssueOAuthRefreshTokensTo 2 -TokenLifetime 7 -Identifier {https://apphost/myapp/api/} -IssuanceTransformRules $transformRules
我已经使用 ADFS MMC 定义了一个 ADFS 应用程序组。我想创建一个部署脚本。我已经使用 New-AdfsApplicationGroup 和 Add-AdfsNativeClientApplication 成功编写了脚本。接下来我想编写 Web 脚本 API。查看 Get-AdfsWebApiApplication 的输出,我看到以下 IssuanceTransformRules。该规则已命名并引用了一个模板。
@RuleTemplate = "LdapClaims"
@RuleName = "2"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";mail,sAMAccountName,userPrincipalName;{0}", param = c.Value);
我将其编写为:
Add-AdfsWebApiApplication -Name "My Web API" -AllowedClientTypes 6 -ApplicationGroupIdentifier "MyApp" -IssueOAuthRefreshTokensTo 2 -TokenLifetime 7 -Identifier {https://apphost/myapp/api/} -IssuanceTransformRules '@RuleTemplate = "LdapClaims", @RuleName = "2", c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";mail,sAMAccountName,userPrincipalName;{0}", param = c.Value);'
这会导致以下错误。
Parser error: 'POLICY0030: Syntax error, unexpected COMMA, expecting one of the following: O_SQ_BRACKET IDENTIFIER NOT AT IMPLY .' At line:1 char:1 + Add-AdfsWebApiApplication -Name "My Web API" -AllowedClientTypes ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo :InvalidData: (@RuleTemplate =...ram = c.Value);:String) [Add-AdfsWebApiApplication], PolicyValidationException + FullyQualifiedErrorId: POLICY0002.Microsoft.IdentityServer.Management.Commands.Add-AdfsWebApiApplicationCommand
同时删除@RuleTemplate 和@RuleName,以下命令成功执行但生成了一个自定义规则,该规则无法使用为 LDAP 属性和传出声明类型提供下拉列表的图形模板进行编辑。
Add-AdfsWebApiApplication -Name "My Web API" -AllowedClientTypes 6 -ApplicationGroupIdentifier "MyApp" -IssueOAuthRefreshTokensTo 2 -TokenLifetime 7 -Identifier {https://apphost/myapp/api/} -IssuanceTransformRules 'c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";mail,sAMAccountName,userPrincipalName;{0}", param = c.Value);'
有人可以建议在脚本中包含名称或模板的方法吗?
如果您将转换声明数据包含在一个变量中,然后在您的 cmdlet 中引用变量会怎样?
$transformRules = @"
@RuleTemplate = "LdapClaims"
@RuleName = "2"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";mail,sAMAccountName,userPrincipalName;{0}", param = c.Value);
"@
Add-AdfsWebApiApplication -Name "My Web API" -AllowedClientTypes 6 -ApplicationGroupIdentifier "MyApp" -IssueOAuthRefreshTokensTo 2 -TokenLifetime 7 -Identifier {https://apphost/myapp/api/} -IssuanceTransformRules $transformRules