Wednesday, October 11, 2017

ADFS : PowerShell cmdlet - parameter PolicyMetadata

Another question on the forum around the format of PowerShell parameters.

This one was around PolicyMetadata.

Get-AdfsAccessControlPolicy -Name "Demo"

Name           : Demo
Identifier     : Demo
IsBuiltIn      : False
RpUsageCount   : 0
LastUpdateTime : 10/10/2017 7:22:00 PM
Description    :
PolicyMetadata : RequireFreshAuthentication:False
                 IssuanceAuthorizationRules:
                 {
                   Permit everyone
                 }
AssignedTo     : {} 


Now if you copy / paste the metadata into a file and then run:

New-AdfsAccessControlPolicy -Name "DemoOne" -PolicyMetadataFile c:\Filename

you get all kinds of errors.

Looking at the errors e.g. "Root error" made me think that the format wasn't JSON, rather XML.

Which means that it is almost impossible to guess the element names etc.

So Mr. Google to the rescue and a long time later, I came across:

(Get-AdfsAccessControlPolicy -Name "Permit everyone").PolicyMetadata | fl *

which displays:

IsParameterized : False
Serialized      : <PolicyMetadata xmlns:i="http://www.w3.org/2001/XMLSchema-instance"
                  xmlns="http://schemas.datacontract.org/2012/04/ADFS">
                    <RequireFreshAuthentication>false</RequireFreshAuthentication>
                    <IssuanceAuthorizationRules>
                      <Rule>
                        <Conditions>
                          <Condition i:type="AlwaysCondition">
                            <Operator>IsPresent</Operator>
                            <Values />
                          </Condition>
                        </Conditions>
                      </Rule>
                    </IssuanceAuthorizationRules>
                  </PolicyMetadata>
Summary         : RequireFreshAuthentication:False
                  IssuanceAuthorizationRules:
                  {
                    Permit everyone
                  }
ExtensionData   : System.Runtime.Serialization.ExtensionDataObject


Putting that into a file e.g.

<?xml version="1.0" encoding="UTF-8"?>
<PolicyMetadata xmlns:i="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://schemas.datacontract.org/2012/04/ADFS">
    <RequireFreshAuthentication>false</RequireFreshAuthentication>
        <IssuanceAuthorizationRules>
            <Rule>
                <Conditions>
                    <Condition i:type="AlwaysCondition">
                        <Operator>IsPresent</Operator>
                        <Values />
                    </Condition>
                </Conditions>
            </Rule>
        </IssuanceAuthorizationRules>
</PolicyMetadata>


and then running the command works!

I suggest running:

Get-AdfsAccessControlPolicy  

which displays them all and then look at the XML formats to get some hints as to the XML format.

Enjoy!

4 comments:

Miller A D said...

Thank you for posting this command, it really helped. I wish the xml schema for the Metadata was directly linked in the Microsoft documentation.

An ADFS Admin said...

Brilliant! This post is today nearing 3 years of age, and is still helping people out. I've seen and learned from many of your posts across the internet, nzpcmad. Best wishes and well done!

Weikko said...

Thanks! This was a great help!

Anonymous said...

(Get-AdfsAccessControlPolicy -Name $ADFSControlPolicy).PolicyMetadata.serialized
You can just add to the top