我正在使用Windows 2008 R2 Enterprise服务器 . 我正在尝试编写为我们的 生产环境 服务器创建依赖方信任的脚本 . 我写了一个PowerShell脚本 . 当我手动创建信赖方信任时,我选择SAML 1.1配置文件,一切正常 . 当我创建一个脚本并使用powershell命令 Add-ADFSRelyingPartyTrust 时,它不起作用,我收到以下错误:
联合身份验证服务无法为调用者“xxxx \ xxxxx”授权令牌发布 . 呼叫者无权为依赖方“https://example.com/forms/”请求令牌 . 请参阅事件501,其中具有相同的实例ID,用于呼叫者身份 .
当我搜索该错误时,我觉得(虽然我可能错了)它是SAML 2.0配置文件问题 . 但我需要SAML 1.1 .
以下是我创建信赖方信任的代码:
Write-Host "Configuring relying party trust."
Add-ADFSRelyingPartyTrust -Identifier "$endpoint" -Name "$name" -WSFedEndpoint "$endpoint/" -SignatureAlgorithm "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
Write-Host "Configuring rules."
$ruleSet = New-ADFSClaimRuleSet -ClaimRule 'c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"), query = ";userPrincipalName,mail,givenName,sn;{0}", param = c.Value);'
Set-ADFSRelyingPartyTrust -TargetIdentifier "$endpoint" -IssuanceTransformRules $ruleSet.ClaimRulesString
Write-Host "Done."
当我在依赖信任上运行 GetADFSRelyingPartyTrust 并将其与不起作用的信任进行比较时,请参阅规则模板中的差异:
作品:
IssuanceAuthorizationRules:@RuleTemplate =“AllowAllAuthzRule”=> issue(Type =“http://schemas.microsoft.com/authorization/claims/permit”,Val ue =“true”);
不起作用:
IssuanceAuthorizationRules:
有关如何摆脱上述错误消息的任何想法?
1 回答
通过提出问题并提供上述信息,我找到了自己的答案:
我需要将-IssuanceAuthorizationRules参数传递给命令 .