Skip to content

Commit 1211eb1

Browse files
troettingertroettinger
authored
Merge pull request #292 from troettinger/vnext
Add Datacenter Integration Helpers
2 parents 06f96a5 + 27925b7 commit 1211eb1

File tree

2 files changed

+89
-0
lines changed

2 files changed

+89
-0
lines changed

DatacenterIntegration/Identity/claimrules.txt

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
@RuleTemplate = "LdapClaims"
2+
@RuleName = "Name claim"
3+
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
4+
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"), query = ";userPrincipalName;{0}", param = c.Value);
5+
6+
@RuleTemplate = "LdapClaims"
7+
@RuleName = "UPN claim"
8+
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
9+
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value);
10+
11+
@RuleTemplate = "LdapClaims"
12+
@RuleName = "ObjectID claim"
13+
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"]
14+
=> issue(Type = "http://schemas.microsoft.com/identity/claims/objectidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
15+
16+
@RuleName = "Family Name and Given claim"
17+
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
18+
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"), query = ";sn,givenName;{0}", param = c.Value);
19+
20+
@RuleTemplate = "PassThroughClaims"
21+
@RuleName = "Pass through all Group SID claims"
22+
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
23+
=> issue(claim = c);
24+
25+
@RuleTemplate = "PassThroughClaims"
26+
@RuleName = "Pass through all windows account name claims"
27+
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
28+
=> issue(claim = c);

DatacenterIntegration/Identity/setupadfs.ps1

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
# Copyright (c) Microsoft Corporation. All rights reserved.
2+
# See LICENSE.txt in the project root for license information.
3+
4+
<#
5+
 
6+
.SYNOPSIS 
7+
 
8+
Configures existing AD FS for Azure Stack
9+
 
10+
.DESCRIPTION 
11+
 
12+
It will create a relying Party Trust to Azure Stack's AD FS with the necessary rules. It will also turn on form based authentication and Enable as setting to support Edge
13+
 
14+
.PARAMETER ExternalDNSZoneSpecify the Extnerl Dns Zone of Azure Stack which was also provided for initial deployment.EXAMPLE .\setupadfs.ps1 -externaldnszone local.azurestack.external#>Param( [string]$ExternalDNSZone)
15+
$currentPath = $PSScriptRoot
16+
17+
#Create Endpoint
18+
$VIP="adfs.$ExternalDnsZone"
19+
20+
#Verify if Endpoint is reachable
21+
Write-Host "Validate AD FS Endpoint if reachable"
22+
$Validator1=Test-NetConnection -ComputerName $VIP -Port 443
23+
IF ($Validator1.TcpTestSucceeded -ne $true){
24+
Write-Host "Check you DNS Integration with Azure Stack Error "$Validator1.TcpTestSucceeded ""
25+
Exit}
26+
else{
27+
Write-host "Status "$Validator1.TcpTestSucceeded""
28+
#Create Metadata URL
29+
$MetadataURL= "https://$VIP/FederationMetadata/2007-06/FederationMetadata.xml"
30+
31+
#Verify Metadata URL
32+
Write-Host "Validate AD FS Metadata URL"
33+
$Validator2=Invoke-WebRequest $MetadataURL
34+
If ($Validator2.StatusCode -ne 200){
35+
Write-Host "Metadata URL could not be retrived Error "$Validator2.StatusCode""
36+
Exit}
37+
else{
38+
Write-Host "Status "$Validator2.StatusCode""
39+
40+
#Determine Windows Version
41+
$WindowsVersion= [environment]::OSVersion.Version
42+
43+
#Configure Relying Party Trust
44+
If ($WindowsVersion.Build -lt 14393) {
45+
46+
#Must be 2012 or 2012 R2
47+
Add-ADFSRelyingPartyTrust -Name AzureStack -MetadataUrl $MetadataURL -IssuanceTransformRulesFile ($currentPath + '\claimrules.txt') -AutoUpdateEnabled:$true -MonitoringEnabled:$true -enabled:$true
48+
}
49+
else{
50+
#Must be 2016
51+
Add-ADFSRelyingPartyTrust -Name AzureStack -MetadataUrl $MetadataURL -IssuanceTransformRulesFile ($currentPath + '\claimrules.txt') -AutoUpdateEnabled:$true -MonitoringEnabled:$true -enabled:$true -AccessControlPolicyName Permit everyone
52+
53+
54+
#Enable Form Based Authentication
55+
Set-AdfsProperties -WIASupportedUserAgents @("MSAuthHost/1.0/In-Domain","MSIPC","Windows Rights Management Client","Kloud")
56+
57+
#Enable Supprt for Edge Browser
58+
Set-AdfsProperties -IgnoreTokenBinding $true
59+
}
60+
}
61+
}

0 commit comments

Comments
 (0)