# Coordinates of your namespace
$acsNamespace = "YOUR NAMESPACE HERE"; 
$mgmtKey = "YOUR KEY HERE";

# Constants
$rpName = "YOUR RP NAME HERE"
$realm = "YOUR REALM NAME HERE"
$spReturnUrl = "YOUR SP URL/_trust"
$groupName = "Default Rule Group for $rpName"; 
$signingSymmetricKey = "YOUR SIGNING SYMETRIC KEY HERE";
$fbAppIPName = "YOUR FB APP ID"; 
$fbAppId = "YOUR FB APP ID"; 
$fbAppSecret = "YOUR FB APP SECRET"
$payPalIdpName = "YOUR PAYPAL APP NAME HERE" 
$payPalSignInAddress = "https://www.paypal.com/webapps/auth/login/"  #Make sure this matches the return URI WITH the slash
$allowedIdentityProviders = @("Windows Live ID","Yahoo!", "Google”, "Facebook");
$tokenSigningCertPath = “YOUR TOKEN SIGNING CERT”

# Include ACS Management SnapIn 
Add-PSSnapin ACSManagementToolsSnapIn -ErrorAction SilentlyContinue;

# Get the ACS management token for securing all subsequent API calls
$mgmtToken = Get-AcsManagementToken -namespace $acsNamespace -managementKey $mgmtKey;

write-host "Grabbing the token signing certificate"
#$azureTokenSigningCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($tokenSigningCertPath)
$azureTokenSigningCert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2    
$pfxPass = $null
if ($pfxPass -eq $null) {$pfxPass = read-host "Enter the pfx password" -assecurestring}    

$azureTokenSigningCert.Import($tokenSigningCertPath,$pfxPass,"Exportable,PersistKeySet")

# Configure Preconfigured Identity Providers 
Write-Output "Add PreConfigured Identity Providers (Google and Yahoo!)..."; 
$yahooIp = Add-IdentityProvider -mgmtToken $mgmtToken -type "Preconfigured" –preconfiguredIPType "Yahoo!";
$googleIp = Add-IdentityProvider -mgmtToken $mgmtToken -type "Preconfigured" –preconfiguredIPType "Google"; 

#We can even be fancy and subordinate the Facebook setup to the existance of non-empty facebook app coordinates in the script:

$facebookEnabled = (($fbAppId -ne "") -and ($fbAppSecret -ne ""));

#Then we just add those few lines right where we create the preconfigured IPs:

# Configure Facebook App Identity Provider
if ($facebookEnabled) 
{ 
    Write-Output "Add Facebook App Identity Provider ($fbAppIPName)..."; 
    
    # Remove FB App IP (if exists) 
    Remove-IdentityProvider -mgmtToken $mgmtToken -name $fbAppIPName; 
    
    # Add FB App IP 
    $fbIp = Add-IdentityProvider -mgmtToken $mgmtToken -type "FacebookApp" -name $fbAppIPName -fbAppId $fbAppId -fbAppSecret $fbAppSecret; 
}

write-host "Configure the PayPal IDP"
Remove-IdentityProvider -MgmtToken $mgmtToken -Name $payPalIdpName
Add-IdentityProvider –Namespace $acsNamespace –ManagementKey $mgmtKey -Type "Manual" -Name $payPalIdpName -Protocol OpenId –SignInAddress $payPalSignInAddress

# Remove RP (if it already exists) 
Write-Output "Remove Relying Party ($rpName) if exists..."; 
Remove-RelyingParty -mgmtToken $mgmtToken -name $rpName;

# Remove All Rules In Group (if they already exist) 
Write-Output "Remove All Rules In Group ($groupName) if exists..."; 
Get-Rule -mgmtToken $mgmtToken -groupName $groupName | ForEach-Object { Remove-Rule -mgmtToken $mgmtToken -rule $_ };

# Create Relying Party 
Write-Output "Create Relying Party ($rpName)..."; 
$rp = Add-RelyingParty -mgmtToken $mgmtToken -name $rpName -realm $realm -tokenFormat "SAML_1_1" -ruleGroup $groupName -ReturnUrl $spReturnUrl -SigningCert $azureTokenSigningCert -TokenLifetime 3600

# Generate default pass-through rules 
Write-Output "Create Default Passthrough Rules for the configured IPs ($allowedIdentityProviders)..."; 
$rp.IdentityProviders | ForEach-Object { Add-DefaultPassthroughRules -mgmtToken $mgmtToken -groupName $groupName -identityProviderName $_.Name }

#Create the default rules for LiveID
Write-output "Create the LiveId claim rules"
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName "Windows Live ID" -Description "Name Id to Email Address" -InputClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier -OutputClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

#Create the default rules for Yahoo
Write-output "Create the Yahoo claim rules"
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $yahooIp.Name -Description "Name Id to Email Address" -InputClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier -OutputClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
#Create the default rules for Google
Write-output "Create the Google claim rules"
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $googleIp.Name -Description "Name ID to Email" -InputClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier -OutputClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

#Create the default rules for FaceBook
Write-output "Create the Facebook claim rules"
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $fbAppIPName -Description "Full Name" -InputClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $fbAppIPName -Description "AccessTtoken" -InputClaimType http://www.facebook.com/claims/AccessToken
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $fbAppIPName -Description "Email Address" -InputClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $fbAppIPName -Description "Expiration" -InputClaimType http://schemas.xmlsoap.org/ws/2008/06/identity/claims/expiration
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $fbAppIPName -Description "Identity Provider" -InputClaimType http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/IdentityProvider


Write-output "Create the PayPal claim rules"
#Claim Rules for paypal claims
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $payPalIdpName -Description "firstName" -InputClaimType http://axschema.org/namePerson/first 
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $payPalIdpName -Description "LastName" -InputClaimType http://axschema.org/namePerson/last 
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $payPalIdpName -Description "email" -InputClaimType http://axschema.org/contact/email -OutputClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $payPalIdpName -Description "fullname" -InputClaimType http://schema.openid.net/contact/fullname 
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $payPalIdpName -Description "dob" -InputClaimType http://axschema.org/birthDate 
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $payPalIdpName -Description "postcode" -InputClaimType http://axschema.org/contact/postalCode/home -OutputClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $payPalIdpName -Description "country" -InputClaimType http://axschema.org/contact/country/home -OutputClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $payPalIdpName -Description "language" -InputClaimType http://axschema.org/pref/language 
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $payPalIdpName -Description "timezone" -InputClaimType http://axschema.org/pref/timezone 
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $payPalIdpName -Description "street1" -InputClaimType http://schema.openid.net/contact/street1 
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $payPalIdpName -Description "street2" -InputClaimType http://schema.openid.net/contact/street2 
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $payPalIdpName -Description "city" -InputClaimType http://axschema.org/contact/city/home -OutputClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $payPalIdpName -Description "state" -InputClaimType http://axschema.org/contact/state/home -OutputClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $payPalIdpName -Description "phone" -InputClaimType http://axschema.org/contact/phone/default -OutputClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $payPalIdpName -Description "Verified" -InputClaimType https://www.paypal.com/webapps/auth/schema/verifiedAccount 
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $payPalIdpName -Description "Payer ID" -InputClaimType https://www.paypal.com/webapps/auth/schema/payerID 
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $payPalIdpName -Description "PAPE" -InputClaimType http://specs.openid.net/extensions/pape/1.0 
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $payPalIdpName -Description "preferred_auth_policies_phishing-resistant" -InputClaimType http://schemas.openid.net/pape/policies/2007/06/phishing-resistant 
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $payPalIdpName -Description "preferred_auth_policies_multi-factor" -InputClaimType http://schemas.openid.net/pape/policies/2007/06/multi-factor 
Add-Rule -MgmtToken $mgmtToken -Namespace $acsNamespace -GroupName $groupName -IdentityProviderName $payPalIdpName -Description "preferred_auth_policies_multi-factor-physical" -InputClaimType http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical 

Write-Output "Done";