题
I’m working on a Windows 2008 R2 Enterprise server. I am trying to script the creation of a relying party trust for our production servers. I’ve written a powershell script. When I create the relying party trust manually, I selelct SAML 1.1 profile and everything works. When I create a script and use the powershell command Add-ADFSRelyingPartyTrust, it does not work the same and I get the following error:
The Federation Service could not authorize token issuance for caller 'xxxx\xxxxx '. The caller is not authorized to request a token for the relying party 'https://example.com/forms/'. Please see event 501 with the same instance id for caller identity.
When I search on that error, it appears to me (though I could be wrong) that it’s a SAML 2.0 profile issue. But I need SAML 1.1.
Here is the code where I create the relying party trust:
https://stackoverflow.com/questions/18967098
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianWrite-Host "Configuring relying party trust."
Add-ADFSRelyingPartyTrust -Identifier "$endpoint" -Name "$name" -WSFedEndpoint "$endpoint/" -SignatureAlgorithm "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
Write-Host "Configuring rules."
$ruleSet = New-ADFSClaimRuleSet -ClaimRule 'c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"), query = ";userPrincipalName,mail,givenName,sn;{0}", param = c.Value);'
Set-ADFSRelyingPartyTrust -TargetIdentifier "$endpoint" -IssuanceTransformRules $ruleSet.ClaimRulesString
Write-Host "Done."
When I do a GetADFSRelyingPartyTrust on the relying trust that works and compare it to the one the does not work, see a difference in the rule template:
IssuanceAuthorizationRules : @RuleTemplate = "AllowAllAuthzRule" => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Val ue = "true");
IssuanceAuthorizationRules :
Any ideas on how to get rid of the above error message?
解决方案
By asking the question and providing the above information I found my own answer:
I needed to pass the -IssuanceAuthorizationRules parameter to the command.
-IssuanceAuthorizationRules '@RuleTemplate = "AllowAllAuthzRule" => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");'
