Set-AdfsClaimsProviderTrust
Sets the properties of a claims provider trust.
Syntax
Set-AdfsClaimsProviderTrust
[-Name <String>]
[-Identifier <String>]
[-SignatureAlgorithm <String>]
[-TokenSigningCertificate <X509Certificate2[]>]
[-MetadataUrl <Uri>]
[-AcceptanceTransformRules <String>]
[-AcceptanceTransformRulesFile <String>]
[-AllowCreate <Boolean>]
[-AutoUpdateEnabled <Boolean>]
[-CustomMFAUri <Uri>]
[-SupportsMFA <Boolean>]
[-WSFedEndpoint <Uri>]
[-EncryptionCertificate <X509Certificate2>]
[-EncryptionCertificateRevocationCheck <String>]
[-MonitoringEnabled <Boolean>]
[-Notes <String>]
[-OrganizationalAccountSuffix <String[]>]
[-LookupForests <String[]>]
[-AlternateLoginID <String>]
[-Force]
[-ClaimOffered <ClaimDescription[]>]
[-SamlEndpoint <SamlEndpoint[]>]
[-ProtocolProfile <String>]
[-RequiredNameIdFormat <Uri>]
[-EncryptedNameIdRequired <Boolean>]
[-SignedSamlRequestsRequired <Boolean>]
[-SamlAuthenticationRequestIndex <UInt16>]
[-SamlAuthenticationRequestParameters <String>]
[-SamlAuthenticationRequestProtocolBinding <String>]
[-SigningCertificateRevocationCheck <String>]
[-PromptLoginFederation <PromptLoginFederation>]
[-PromptLoginFallbackAuthenticationType <String>]
[-AnchorClaimType <String>]
-TargetClaimsProviderTrust <ClaimsProviderTrust>
[-PassThru]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Set-AdfsClaimsProviderTrust
[-Name <String>]
[-Identifier <String>]
[-SignatureAlgorithm <String>]
[-TokenSigningCertificate <X509Certificate2[]>]
[-MetadataUrl <Uri>]
[-AcceptanceTransformRules <String>]
[-AcceptanceTransformRulesFile <String>]
[-AllowCreate <Boolean>]
[-AutoUpdateEnabled <Boolean>]
[-CustomMFAUri <Uri>]
[-SupportsMFA <Boolean>]
[-WSFedEndpoint <Uri>]
[-EncryptionCertificate <X509Certificate2>]
[-EncryptionCertificateRevocationCheck <String>]
[-MonitoringEnabled <Boolean>]
[-Notes <String>]
[-OrganizationalAccountSuffix <String[]>]
[-LookupForests <String[]>]
[-AlternateLoginID <String>]
[-Force]
[-ClaimOffered <ClaimDescription[]>]
[-SamlEndpoint <SamlEndpoint[]>]
[-ProtocolProfile <String>]
[-RequiredNameIdFormat <Uri>]
[-EncryptedNameIdRequired <Boolean>]
[-SignedSamlRequestsRequired <Boolean>]
[-SamlAuthenticationRequestIndex <UInt16>]
[-SamlAuthenticationRequestParameters <String>]
[-SamlAuthenticationRequestProtocolBinding <String>]
[-SigningCertificateRevocationCheck <String>]
[-PromptLoginFederation <PromptLoginFederation>]
[-PromptLoginFallbackAuthenticationType <String>]
[-AnchorClaimType <String>]
-TargetCertificate <X509Certificate2>
[-PassThru]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Set-AdfsClaimsProviderTrust
[-Name <String>]
[-Identifier <String>]
[-SignatureAlgorithm <String>]
[-TokenSigningCertificate <X509Certificate2[]>]
[-MetadataUrl <Uri>]
[-AcceptanceTransformRules <String>]
[-AcceptanceTransformRulesFile <String>]
[-AllowCreate <Boolean>]
[-AutoUpdateEnabled <Boolean>]
[-CustomMFAUri <Uri>]
[-SupportsMFA <Boolean>]
[-WSFedEndpoint <Uri>]
[-EncryptionCertificate <X509Certificate2>]
[-EncryptionCertificateRevocationCheck <String>]
[-MonitoringEnabled <Boolean>]
[-Notes <String>]
[-OrganizationalAccountSuffix <String[]>]
[-LookupForests <String[]>]
[-AlternateLoginID <String>]
[-Force]
[-ClaimOffered <ClaimDescription[]>]
[-SamlEndpoint <SamlEndpoint[]>]
[-ProtocolProfile <String>]
[-RequiredNameIdFormat <Uri>]
[-EncryptedNameIdRequired <Boolean>]
[-SignedSamlRequestsRequired <Boolean>]
[-SamlAuthenticationRequestIndex <UInt16>]
[-SamlAuthenticationRequestParameters <String>]
[-SamlAuthenticationRequestProtocolBinding <String>]
[-SigningCertificateRevocationCheck <String>]
[-PromptLoginFederation <PromptLoginFederation>]
[-PromptLoginFallbackAuthenticationType <String>]
[-AnchorClaimType <String>]
-TargetIdentifier <String>
[-PassThru]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Set-AdfsClaimsProviderTrust
[-Name <String>]
[-Identifier <String>]
[-SignatureAlgorithm <String>]
[-TokenSigningCertificate <X509Certificate2[]>]
[-MetadataUrl <Uri>]
[-AcceptanceTransformRules <String>]
[-AcceptanceTransformRulesFile <String>]
[-AllowCreate <Boolean>]
[-AutoUpdateEnabled <Boolean>]
[-CustomMFAUri <Uri>]
[-SupportsMFA <Boolean>]
[-WSFedEndpoint <Uri>]
[-EncryptionCertificate <X509Certificate2>]
[-EncryptionCertificateRevocationCheck <String>]
[-MonitoringEnabled <Boolean>]
[-Notes <String>]
[-OrganizationalAccountSuffix <String[]>]
[-LookupForests <String[]>]
[-AlternateLoginID <String>]
[-Force]
[-ClaimOffered <ClaimDescription[]>]
[-SamlEndpoint <SamlEndpoint[]>]
[-ProtocolProfile <String>]
[-RequiredNameIdFormat <Uri>]
[-EncryptedNameIdRequired <Boolean>]
[-SignedSamlRequestsRequired <Boolean>]
[-SamlAuthenticationRequestIndex <UInt16>]
[-SamlAuthenticationRequestParameters <String>]
[-SamlAuthenticationRequestProtocolBinding <String>]
[-SigningCertificateRevocationCheck <String>]
[-PromptLoginFederation <PromptLoginFederation>]
[-PromptLoginFallbackAuthenticationType <String>]
[-AnchorClaimType <String>]
-TargetName <String>
[-PassThru]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Description
The Set-AdfsClaimsProviderTrust cmdlet configures the trust relationship with a claims provider.
Examples
Example 1: Enable auto-update for a claims provider trust
PS C:\> Set-ADFSClaimsProviderTrust -TargetName "Fabrikam claims provider" -AutoUpdateEnabled $FalseThis command enables auto-update for the claims provider trust named Fabrikam claims provider.
Parameters
-AcceptanceTransformRules
Specifies the claim acceptance transform rules for accepting claims from this claims provider. These rules determine the information that is accepted from the partner represented by the claims provider trust.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-AcceptanceTransformRulesFile
Specifies a file that contains the claim acceptance transform rules for accepting claims from this claims provider.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AllowCreate
Indicates whether the Security Assertion Markup Language (SAML) parameter AllowCreate is sent in SAML requests to the claims provider. The default value is True.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AlternateLoginID
Specifies the LDAP name of the attribute that you want to use for login.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AnchorClaimType
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AutoUpdateEnabled
Indicates whether changes to the federation metadata by the MetadataURL parameter apply automatically to the configuration of the trust relationship. If this parameter has a value of $True, partner claims, certificates, and endpoints are updated automatically.
Note: When auto-update is enabled, fields that can be overwritten by metadata become read only.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ClaimOffered
Specifies an array of claims that are offered by this claims provider.
| Type: | ClaimDescription[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-CustomMFAUri
| Type: | Uri |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-EncryptedNameIdRequired
Indicates whether the relying party requires that the NameID claim be encrypted. This setting applies to SAML logout requests.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-EncryptionCertificate
Specifies the certificate to be used for encrypting a NameID to this claims provider in SAML logout requests. Encrypting the NameID is optional.
| Type: | X509Certificate2 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-EncryptionCertificateRevocationCheck
Specifies the type of validation that occurs for the encryption certificate before it is used for encrypting claims. The acceptable values for this parameter are:
- None
- CheckEndCert
- CheckEndCertCacheOnly
- CheckChain
- CheckChainCacheOnly
- CheckChainExcludeRoot
- CheckChainExcludeRootCacheOnly
| Type: | String |
| Accepted values: | CheckChain, CheckChainCacheOnly, CheckChainExcludeRoot, CheckChainExcludeRootCacheOnly, CheckEndCert, CheckEndCertCacheOnly, None |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Force
Forces the command to run without asking for user confirmation.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Identifier
Specifies the unique identifier for this claims provider trust. No other trust can use an identifier from this list. Uniform Resource Identifiers (URIs) are often used as unique identifiers for a claims provider trust, but you can use any string of characters.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-LookupForests
Specifies the forest DNS names that can be used to look up the AlternateLoginID.
| Type: | String[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-MetadataUrl
Specifies the URL at which the federation metadata for this claims provider trust is available.
| Type: | Uri |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-MonitoringEnabled
Indicates whether periodic monitoring of this claims provider's federation metadata is enabled. The URL of the claims provider's federation metadata is specified by the MetadataUrl parameter.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Name
Specifies the friendly name of this claims provider trust.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Notes
Specifies notes for this claims provider trust.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-OrganizationalAccountSuffix
Specifies a list of organizational account suffixes that an administrator can configure for the claims provider trust for Home Realm Discovery (HRD) scenarios.
| Type: | String[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-PassThru
Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-PromptLoginFallbackAuthenticationType
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-PromptLoginFederation
The acceptable values for this parameter are:
- None. Do not federate prompt=login request and error instead.
- FallbackToProtocolSpecificParameters. Translate prompt=login to wfresh=0 and Wauth=forms during federation. If wauth is present in the original request, it will be preserved.
- ForwardPromptAndHintsOverWsFederation. Forward prompt, login_hint, and domain_hint parameters during federation.
| Type: | PromptLoginFederation |
| Accepted values: | None, FallbackToProtocolSpecificParameters, ForwardPromptAndHintsOverWsFederation, Disabled |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ProtocolProfile
Specifies which protocol profiles the claims provider supports. The acceptable values for this parameter are:
- SAML
- WsFederation
- WsFed-SAML
By default, both SAML and WS-Federation protocols are supported.
| Type: | String |
| Accepted values: | WsFed-SAML, WSFederation, SAML |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-RequiredNameIdFormat
Specifies the format that is required for NameID claims to be included in SAML requests to the claims provider. By default, no format is required.
| Type: | Uri |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SamlAuthenticationRequestIndex
Specifies the value of AssertionConsumerServiceIndex that is placed in SAML authentication requests that are sent to the claims provider.
| Type: | UInt16 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SamlAuthenticationRequestParameters
Specifies which of the following parameters to use in SAML authentication requests to the claims provider: AssertionConsumerServiceIndex, AssertionConsumerServiceUrl, and ProtocolBinding. The acceptable values for this parameter are:
- None
- Index
- Url
- ProtocolBinding
- UrlWithProtocolBinding
| Type: | String |
| Accepted values: | Index, None, , ProtocolBinding, Url, UrlWithProtocolBinding |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SamlAuthenticationRequestProtocolBinding
Specifies the value of ProtocolBinding to place in SAML authentication requests to the claims provider. The acceptable values for this parameter are:
- Artifact
- POST
- Redirect
| Type: | String |
| Accepted values: | Artifact, , POST, Redirect |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SamlEndpoint
Specifies an array of SAML protocol endpoints for this claims provider.
| Type: | SamlEndpoint[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-SignatureAlgorithm
Specifies the signature algorithm that the claims provider uses for signing and verification. The acceptable values for this parameter are:
| Type: | String |
| Accepted values: | https://www.w3.org/2000/09/xmldsig#rsa-sha1, https://www.w3.org/2001/04/xmldsig-more#rsa-sha256 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SignedSamlRequestsRequired
Indicates whether the Federation Service requires signed SAML protocol requests from the relying party. If you specify a value of $True, the Federation Service rejects unsigned SAML protocol requests.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SigningCertificateRevocationCheck
Specifies the type of certificate validation that occurs when signatures are verified on responses or assertions from the claims provider. The acceptable values for this parameter are:
- None
- CheckEndCert
- CheckEndCertCacheOnly
- CheckChain
- CheckChainCacheOnly
- CheckChainExcludeRoot
- CheckChainExcludeRootCacheOnly
| Type: | String |
| Accepted values: | CheckChain, CheckChainCacheOnly, CheckChainExcludeRoot, CheckChainExcludeRootCacheOnly, CheckEndCert, CheckEndCertCacheOnly, None |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SupportsMFA
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TargetCertificate
Specifies the certificate of the claims provider trust that is modified by the cmdlet.
| Type: | X509Certificate2 |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-TargetClaimsProviderTrust
Specifies a ClaimsProviderTrust object. The cmdlet modifies the claims provider trust that you specify. To obtain a ClaimsProviderTrust object, use the Get-AdfsClaimsProviderTrust cmdlet.
| Type: | ClaimsProviderTrust |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-TargetIdentifier
Specifies the identifier of the claims provider trust that is modified by the cmdlet.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-TargetName
Specifies the friendly name of the claims provider trust that is modified by the cmdlet.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-TokenSigningCertificate
Specifies an array of token-signing certificates that the claims provider use.
| Type: | X509Certificate2[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-WSFedEndpoint
Specifies the WS-Federation Passive URL for this claims provider.
| Type: | Uri |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
Microsoft.IdentityServer.PowerShell.Resources.ClaimDescription
ClaimDescription objects are received by the ClaimOffered parameter.
System.Security.Cryptography.X509Certificates.X509Certificate.X509Certificate2
X509Certificate2 objects are received by the TargetCertificate parameter.
Microsoft.IdentityServer.PowerShell.Resources.ClaimsProviderTrust
ClaimsProviderTrust objects are received by the TargetClaimsProviderTrust parameter.
String objects are received by the AcceptanceTransformRules, SamlEndpoint, TargetIdentifier, and TargetName parameters.
Outputs
Microsoft.IdentityServer.PowerShell.Resources.ClaimsProviderTrust
Returns the changed ClaimsProviderTrust object when the PassThru parameter is specified. By default, this cmdlet does not generate any output.
Notes
- The claims provider collects and authenticates a user's credentials, builds up claims for that user, and packages the claims into security tokens or Information Cards. In other words, a claims provider represents the organization for whose users the claims provider issues security tokens or Information Cards on their behalf. When you configure Active Directory Federation Services (AD FS), the role of the claims provider is to enable its users to access resources that are hosted in a relying party organization by establishing one side of a federation trust relationship. After the trust is established, tokens and Information Cards can be presented to a relying party across the federation trust.