Monday, November 06, 2017

ADFS : Application Groups

ADFS 4.0 manages OpenID Connect / OAuth connections via the "Application Groups" folder.

There are three kinds:
  • Native application
  • Server application
  • Web API
which leads to the following combinations:
  • Native application accessing web API
  • Server application accessing Web API
Plus the odd one out:
  • Web browser accessing web application
The PowerShell cmdlets split into three separate commands:
  • Get-AdfsNativeClientApplication
  • Get-AdfsServerApplication
  • Get-AdfsWebApiApplication
So although you can create an application with a web API in one pass through the wizard, the separate components need to be accessed via PowerShell.

Examples:

Get-AdfsNativeClientApplication

Name                       : MyApp  - Native application
Identifier                 : b2...27
ApplicationGroupIdentifier : MyApp
Description                :
Enabled                    : True
RedirectUri                : {https://blah}

Get-AdfsServerApplication

ADUserPrincipalName                  :
ClientSecret                         : ********
JWTSigningCertificateRevocationCheck : None
JWTSigningKeys                       : {}
JWKSUri                              :
Name                                 : My server application
Identifier                           : 8e...44
ApplicationGroupIdentifier           : MyApp
Description                          :
Enabled                              : True
RedirectUri                          : {https://blah}

Get-AdfsWebApiApplication

Name                                 : My Web API
Identifier                           : {https://blah/webapi}
AccessControlPolicyName              : Permit everyone
AccessControlPolicyParameters        :
AdditionalAuthenticationRules        :
AllowedAuthenticationClassReferences : {}
AllowedClientTypes                   : Public, Confidential
ApplicationGroupIdentifier           : MyApp
ApplicationGroupId                   : 12...56
AlwaysRequireAuthentication          : False
ClaimsProviderName                   : {}
DelegationAuthorizationRules         :
Enabled                              : True
ImpersonationAuthorizationRules      :
IssuanceAuthorizationRules           :
IssueOAuthRefreshTokensTo            : AllDevices
IssuanceTransformRules               : @RuleName = "All"
                                       c:[]
                                        => issue(claim = c);
                                      
                                      
NotBeforeSkew                        : 0
Description                          :
PublishedThroughProxy                : False
RefreshTokenProtectionEnabled        : False
RequestMFAFromClaimsProviders        : False
ResultantPolicy                      : RequireFreshAuthentication:False
                                       IssuanceAuthorizationRules:
                                       {
                                         Permit everyone
                                       }
TokenLifetime                        : 0

Plus we have the legacy cmdlets from ADFS 3.0:

Get-AdfsClient

RedirectUri                          : {ms-appx-web://Microsoft.AAD.BrokerPlugin}
Name                                 : Windows Logon Client
Description                          : Client for Microsoft Windows Logon
ClientId                             : 38...93b
BuiltIn                              : True
Enabled                              : True
ClientType                           : Public
ADUserPrincipalName                  :
ClientSecret                         :
JWTSigningCertificateRevocationCheck : None
JWTSigningKeys                       : {}
JWKSUri                              :

Just remember that the clientID is auto-generated when you create one of these entries and the secret key can only be viewed once in the wizard during creation.

Plus there was this question over on the forum around scope:

In an ADFS Application Group, add Client Application/Permitted Scope to Web API with PowerShell

Grant-AdfsApplicationPermission -ClientRoleIdentifier $clientAppIdGuid -ServerRoleIdentifier $relyingPartyIdentifier -ScopeNames $theScopesYouWantAssignedTo

And remember you can get all the commands by:

get-command *adfsclient*

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Add-AdfsClient                                     1.0.0.0    ADFS
Cmdlet          Disable-AdfsClient                                 1.0.0.0    ADFS
Cmdlet          Enable-AdfsClient                                  1.0.0.0    ADFS
Cmdlet          Get-AdfsClient                                     1.0.0.0    ADFS
Cmdlet          Remove-AdfsClient                                  1.0.0.0    ADFS
Cmdlet          Set-AdfsClient                                     1.0.0.0    ADFS

get-command *adfsnativeclient*

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Add-AdfsNativeClientApplication                    1.0.0.0    ADFS
Cmdlet          Get-AdfsNativeClientApplication                    1.0.0.0    ADFS
Cmdlet          Remove-AdfsNativeClientApplication                 1.0.0.0    ADFS
Cmdlet          Set-AdfsNativeClientApplication                    1.0.0.0    ADFS

get-command *adfsserver*

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Add-AdfsServerApplication                          1.0.0.0    ADFS
Cmdlet          Get-AdfsServerApplication                          1.0.0.0    ADFS
Cmdlet          Remove-AdfsServerApplication                       1.0.0.0    ADFS
Cmdlet          Set-AdfsServerApplication                          1.0.0.0    ADFS

get-command *adfswebapi*

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Add-AdfsWebApiApplication                          1.0.0.0    ADFS
Cmdlet          Get-AdfsWebApiApplication                          1.0.0.0    ADFS
Cmdlet          Remove-AdfsWebApiApplication                       1.0.0.0    ADFS
Cmdlet          Set-AdfsWebApiApplication                          1.0.0.0    ADFS

get-command *adfsapplication*

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Disable-AdfsApplicationGroup                       1.0.0.0    ADFS
Cmdlet          Enable-AdfsApplicationGroup                        1.0.0.0    ADFS
Cmdlet          Get-AdfsApplicationGroup                           1.0.0.0    ADFS
Cmdlet          Get-AdfsApplicationPermission                      1.0.0.0    ADFS
Cmdlet          Grant-AdfsApplicationPermission                    1.0.0.0    ADFS
Cmdlet          New-AdfsApplicationGroup                           1.0.0.0    ADFS
Cmdlet          Remove-AdfsApplicationGroup                        1.0.0.0    ADFS
Cmdlet          Revoke-AdfsApplicationPermission                   1.0.0.0    ADFS
Cmdlet          Set-AdfsApplicationGroup                           1.0.0.0    ADFS
Cmdlet          Set-AdfsApplicationPermission                      1.0.0.0    ADFS

Enjoy!

Posted by at
Labels:

1 comment:

Anonymous said...

This:
Plus the odd one out:
Web browser accessing web application

Anyone know how to create that one (Native Application and Web application, Not Web API) with powershell?

This adds the first half (Native Application) to the application group:
Add-AdfsNativeClientApplication

But there's seems to be no command for adding a Web Application..?
This is not the one, this adds a Web API:
Add-AdfsWebApiApplication

October 12, 2024 2:57 am

Post a Comment

Subscribe to: Post Comments (Atom)