Edit

Share via

Add-AdfsLocalClaimsProviderTrust

Module:
ADFS Module

Creates a local claims provider trust.

Syntax

Default (Default) 

Add-AdfsLocalClaimsProviderTrust
    -Name <String>
    -Identifier <String>
    [-AcceptanceTransformRules <String>]
    [-AcceptanceTransformRulesFile <String>]
    [-Enabled <Boolean>]
    [-Notes <String>]
    [-OrganizationalAccountSuffix <String[]>]
    [-Force]
    [-Type <String>]
    [-PassThru]
    [-WhatIf]
    [-Confirm]
    -LdapServerConnection <LdapServerConnection[]>
    -UserObjectClass <String>
    -UserContainer <String>
    -AnchorClaimLdapAttribute <String>
    -AnchorClaimType <String>
    [-LdapAuthenticationMethod <LdapAuthenticationMethod>]
    [-LdapAttributeToClaimMapping <LdapAttributeToClaimMapping[]>]
    [<CommonParameters>]

Description

The Add-AdfsLocalClaimsProviderTrust cmdlet creates a local claims provider trust. This trust is based on a Lightweight Directory Access Protocol (LDAP) v3 compliant directory other than the Active Directory domain of which the Active Directory Federation Services (AD FS) server is a member. This includes other, untrusted, Active Directory forests or domains, Active Directory Lightweight Directory Services directories, and non-Active Directory LDAP directories.

Examples

Example 1: Create an LDAP local claims provider trust

PS C:\> $Credential = Get-Credential
PS C:\ > $LdapConn = New-AdfsLdapServerConnection -HostName "DomainContoller03.contoso.com" -Port 389 -SslMode None -AuthenticationMethod Basic -Credential $Credential
PS C:\ > $DisplayName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute "displayName" -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname"
PS C:\> Add-AdfsLocalClaimsProviderTrust -Name "testldap" -Identifier "urn:testldap" -Type ldap -LdapServerConnection $LdapConn -UserObjectClass user -UserContainer "CN=Users,DC=<sub_domain_name>,DC=<domain_name>,DC=com" -LdapAuthenticationMethod Basic -AnchorClaimLdapAttribute userPrincipalName -AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -AcceptanceTransformRules "c:[] => issue(claim=c);" -Enabled $True -OrganizationalAccountSuffix "TSQA.contoso.com" - LdapAttributeToClaimMapping $DisplayName

The first command prompts you for a user name and password by using the Get-Credential cmdlet. The command stores the results in the $Credential variable.

The second command creates an LDAP connection by using the New-AdfsLdapServerConnection cmdlet. DomainContoller03.contoso.com is the fully qualified domain name of a domain controller in the other forest. The command stores the result in the $LdapConn variable.

The third command creates a mapping of an LDAP directory attribute to a claim type by using the New-AdfsLdapAttributeToClaimMapping cmdlet.

The final command creates an LDAP claims provider trust to authenticate users in another, untrusted Active Directory forest.

Parameters

-AcceptanceTransformRules

Specifies the set of claim rules to configure on the local claims provider trust. These rules determine the information that is accepted from the partner represented by the local claims provider trust.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-AcceptanceTransformRulesFile

Specifies the full path of a file that contains the set of claim rules to configure on the local claims provider trust.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-AnchorClaimLdapAttribute

Specifies the LDAP attribute to which the user name that the user enters isl be matched to find the correct user account in the LDAP directory.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-AnchorClaimType

Specifies the claim type of the anchor claim in AD FS.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Parameter properties

Type:SwitchParameter
Default value:False
Supports wildcards:False
DontShow:False
Aliases:cf

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Enabled

Indicates whether the trust is enabled.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Force

Forces the command to run without asking for user confirmation.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Identifier

Specifies the ID, as a URI, of the claims provider trust.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-LdapAttributeToClaimMapping

Specifies a mapping of LDAP directory attributes to claim types. Each mapping causes an AD FS claim with the corresponding claim type and LDAP attribute value to be available for AD FS processing rules. To obtain a mapping, use the New-AdfsLdapAttributeToClaimMapping cmdlet.

Parameter properties

Type:

LdapAttributeToClaimMapping[]

Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-LdapAuthenticationMethod

Specifies the authentication method the local claims provider trust uses. In Windows Server 2016, the only supported method is Basic (username/password).

Parameter properties

Type:LdapAuthenticationMethod
Default value:None
Accepted values:Basic, Kerberos, Negotiate
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-LdapServerConnection

Specifies an array of LDAP server connections that the claims provider trust uses. To obtain an LdapServerConnection object, use the New-AdfsLdapServerConnection cmdlet.

Parameter properties

Type:

LdapServerConnection[]

Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Name

Specifies a name for the local claims provider trust.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Notes

Specifies notes.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-OrganizationalAccountSuffix

Specifies an array of organizational account suffixes that administrator can configure for the claims provider trust for a Home Realm Discovery (HRD) scenario.

Parameter properties

Type:

String[]

Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-PassThru

Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Type

Specifies the type of the claims provider trust. The acceptable values for this parameter are: ActiveDirectory and LDAP.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-UserContainer

Specifies a user container.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-UserObjectClass

Specifies a user object class.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Parameter properties

Type:SwitchParameter
Default value:False
Supports wildcards:False
DontShow:False
Aliases:wi

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.