代码之家 › 专栏 › 技术社区 › BillVo

ADFS PowerShell:在IssuanceTransformRules中使用RuleTemplate编写Web API脚本(添加ADFSWebAPI应用程序)

adfs4.0 adfs asp.net-web-api powershell

BillVo · 技术社区 · 5 年前

我已经使用ADFS MMC定义了一个ADFS应用程序组。我想创建一个用于部署的脚本。我已经成功地使用新的AdfsApplicationGroup编写了脚本,并添加了AdfsNativeClientApplication。接下来,我要编写Web API脚本。查看get-adfswebapiapplication的输出,我看到以下issuanceTransformRules。规则已命名并引用模板。

@ruleTemplate=“ldapclaims”

@ ReNeNAM= =“2”

C:[类型== ] “ http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname “ 颁发者=“广告授权”]

=>问题(store=“Active Directory”,类型=(S) http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress “ “ http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name “ “ http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn “”,查询= “邮件,samaccountname,userprincipalname;0”,param=c.value);

我的剧本是:

Add-AdfsWebApiApplication -Name "My Web API" -AllowedClientTypes 6 -ApplicationGroupIdentifier "MyApp" -IssueOAuthRefreshTokensTo 2 -TokenLifetime 7 -Identifier {https://apphost/myapp/api/} -IssuanceTransformRules '@RuleTemplate = "LdapClaims", @RuleName = "2", c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";mail,sAMAccountName,userPrincipalName;{0}", param = c.Value);'

这会导致以下错误。

分析器错误:“policy0030:语法错误,意外的逗号,应为以下任一项:o_sq_括号标识符不在impress.'at 线:1焦炭:1 +添加adfswebapiapplication-名称“我的Web API”-允许的客户端类型… +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +categoryInfo:无效数据:(@ruletemplate=..ram=c.value);:string)[添加adfswebapiapplication], 策略验证例外 +fullyqualifiederroid:policy0002.microsoft.identityserver.management.commands.add-adfswebapiapplicationcommand

删除@rule template和@rulename后,以下命令将成功执行,但将生成无法使用图形模板编辑的自定义规则,该模板为LDAP属性和传出声明类型提供下拉列表。

Add-AdfsWebApiApplication -Name "My Web API" -AllowedClientTypes 6 -ApplicationGroupIdentifier "MyApp" -IssueOAuthRefreshTokensTo 2 -TokenLifetime 7 -Identifier {https://apphost/myapp/api/} -IssuanceTransformRules 'c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";mail,sAMAccountName,userPrincipalName;{0}", param = c.Value);'

是否有人建议在脚本中包含名称或模板?

1 回复 | 直到 5 年前

AdminOfThings 5 年前

$transformRules = @"
@RuleTemplate = "LdapClaims"

@RuleName = "2"

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";mail,sAMAccountName,userPrincipalName;{0}", param = c.Value);
"@

Add-AdfsWebApiApplication -Name "My Web API" -AllowedClientTypes 6 -ApplicationGroupIdentifier "MyApp" -IssueOAuthRefreshTokensTo 2 -TokenLifetime 7 -Identifier {https://apphost/myapp/api/} -IssuanceTransformRules $transformRules