Tuesday, November 20, 2012

ADFS export and import claim transformation rules

Moving to AD FS it is wise to prepare to lab to test the whole infrastructure and then move to the production. One of the most frustrating things you will have to do is the claim transformation rules that you will have to setup between all Claims Providers and the Relying parties. Fortunately instead of using the UI and adding the rules one by one, you can setup only one and the export and import the claims rules to the rest of the parties.

Let’s say you are in the resource forest’s AD FS and lets say that you have a claims provider named “account forest AD FS”.


You should click on the “Edit Claim Rules…” link on the right panel and setup the rules that would propagate the appropriate claims for you applications. For example, I have selected to pass through the following claims:


Now if you later on have to add another claims provider (e.g. “new AD FS”), then you can export the rules from the existing one and apply them to the new one via power shell. Fire up a power shell in the ADFS server and make sure that you have Microsoft.Adfs.Powershell loaded otherwise load it via Add-PsSnapin Microsoft.Adfs.Powershell.

The next is to export the claim rules of the old ADFS setup giving the following command:

(Get-AdfsClaimsProviderTrust -Name "account forest AD FS").AcceptanceTransformRules | Out-File “C:\claimsProviderRules.txt”

And then import them to the new provider:

Set-AdfsClaimsProviderTrust -TargetName "new AD FS" -AcceptanceTransformRulesFile “C:\claimsProviderRules.txt”

This should set the same rules to your newly trusted claims provider. The same process applies for the relying party claims. This means that you can export the rules you have in you lad and apply them to your production directly. The export and import commands for an application named “MyCoolApp” are the following:

(Get-AdfsRelyingPartyTrust -Name "MyCoolApp").IssuanceTransformRules | Out-File "C:\MyCoolAppTransformRules.txt"

Set-AdfsRelyingPartyTrust -TargetName "MyCoolApp" -IssuanceTransformRulesFile "C:\MyCoolAppTransformRules.txt"

Further to the transformation rules, you might want to also export and import the issuance authorization rules (IssuanceAuthorizationRules )  and the delegation authorization rules (DelegationAuthorizationRules), modifying the parameters accordingly.

1 comment:

Anonymous said...

This was great :-) How can I export/import my custom claim descriptions?