Managing Trust Policy

Managing Trust Policy

This topic contains example scripts that you can use to manage ADFS Trust Policy.

C# Scripts

Set Up Configurable Namespaces in the Trust Policy File

You can edit the Trust Policy file to change the name and the namespace of each claim in the token sent by the Federation Services account partner (FS-A) to the Federation Services resource partner (FS-R). This cannot be used to change the namespaces of claims in cookies.

For example, for an e-mail claim, you can configure the namespace to be "https://treyresearch" rather than the default value, "http://schemas.xmlsoap.org/claims". You can also change the name of the e-mail claim from "EmailAddress" to "EMAIL".

The Trust Policy files must have the same configuration on both the FS-A and the FS-R. If they do not match, the token sent by the FS-A will be rejected by the FS-R.

Note that ADFS ignores the values in <TrustNamespace>, <PolicyNamespace>, and <AddressingNamespace>. If these values are not matched in the Trust Policy files on both the FS-A and the FS-R, this will not cause the FS-R to reject the token sent by the FS-A.

The following code snippet shows how to configure these values:

using System;
using System.Web.Security.SingleSignOn;

// ...

TrustPolicy tp = TrustPolicy.Load(@"c:\windows\systemdata\adfs\trustpolicy.xml", false);

Namespaces configureNS = new Namespaces();

configureNS.AddressingNamespace = "treyresearch";

configureNS.CommonNameAttributeName = "test-commonclaim";

configureNS.CommonNameAttributeNamespace = "https://treyresearch";

configureNS.CommonNameNameIdentifierFormat = "http://testCNIDFormat";

configureNS.EmailAttributeName = "test-emailclaim";

configureNS.EmailAttributeNamespace = "https://treyresearch";

configureNS.EmailNameIdentifierFormat = "http://treyresearch";

configureNS.GroupAttributeName = "test-group";

configureNS.GroupAttributeNamespace = "https://treyresearch";

configureNS.NameValueAttributeNamespace = "http://treyresearch";

configureNS.PolicyNamespace = "https://treyresearch";

configureNS.TrustNamespace = "https://treyresearch";

configureNS.UpnAttributeName = "test-upn";

configureNS.UpnAttributeNamespace = "https://treyresearch";

configureNS.UpnNameIdentifierFormat = "http://treyresearch";

TrustRealm partner = null;

//Check if this is a account partner.

partner = (TrustRealm)tp.TrustedRealms[trustRealmURI];

/* If the URI is not found in the list of account partners, we look in the list of resource partners. */

if (null == partner)

{

partner = (TrustRealm)tp.TrustingRealms[trustRealmURI];

}

// If we still don't find this partner, throw an exception.

if (null == partner || String.Empty.Equals(partner))

{

throw new Exception(String.Format("Partner: {0} not found in Trust Policy file", trustRealmURI));

}

//Configure the new namespaces for this partner realm.

partner.Namespaces = newNS;

Enumerate Application Partners

This script enumerates the friendly names and URLs of all the applications serviced by the Federation Service. To run it, create a Visual Studio console application and add a reference to System.Web.Security.SingleSignOn.dll. You may need to modify the location of the Trust Policy file.

using System;
using System.Collections.Generic;
using System.Text;
using System.Web.Security.SingleSignOn;

namespace ConsoleApplication1
{
    class Program
    {
        static void Main(string[] args)
        {
            TrustPolicy tp = TrustPolicy.Load(@"c:\windows\systemdata\adfs\trustpolicy.xml", false);

            foreach (TrustingApplication ta in tp.TrustingApplications)
            {
                Console.WriteLine("{0} = {1}", ta.TrustEntryDisplayName, ta.TrustPolicyEntryUri);
            }
        }
    }
}

VBScript Scripts

The following scripts require CScript, which can be set as the default script engine by typing "cscript /H:CScript" at a command prompt.

Create A Trust Policy File

The following example shows how to build a Trust Policy file from scratch. You will need to modify the certificate file paths, URIs, and URLs to match your configuration.

Option Explicit

Dim tpf ' Trust policy factory
Dim cf ' Claim Factory
Dim tp ' TrustPolicy
Dim crPurchaseAgent, crAuditor ' Corporate Groups
Dim ccPurchaseLimit ' Corporate Custom Claims
Dim trTrusting ' TrustingRealms
Dim trSample ' TrustedRealms
Dim app ' TrustingApplications
Dim adrPurchaseAgent, adrAuditor ' AD Groups
Dim commonSuffixXform, commonCnXform

WScript.StdOut.WriteLine("Building Trust Policy for adatum")

'
' Create factories
'
set tpf = CreateObject("System.Web.Security.SingleSignOn.TrustPolicyFactory")
set cf = CreateObject("System.Web.Security.SingleSignOn.ClaimFactory")

'
' Create the TrustPolicy
'
set tp = tpf.CreateNewTrustPolicy(True, 0) ' initialize certs, RevocationFlags.None

'
' Hosted realm attributes
'
tp.TrustPolicyEntryUri = "urn:federation:adatum"
tp.TrustEntryDisplayName = "ADATUM"
tp.LsUrl = "https://contoso/adatum/ls/"
tp.VerificationMethod.AddNewTrustedCertificate("c:\websso\certs\contoso.cer")
tp.CookiePath = "/adatum"
tp.LogonAcceleratorTokenLifetimeInMinutes = 1

'
' Corporate Claims
'
' 
' - Corporate Groups 
'
set crPurchaseAgent = cf.CreateGroup("PurchaseAgent")
tp.CorporateClaims.GroupClaims.Add(crPurchaseAgent)
set crAuditor = cf.CreateGroup("Auditor")
tp.CorporateClaims.GroupClaims.Add(crAuditor)
'
' - Corporate Custom claims
'
set ccPurchaseLimit = cf.CreateCustom("PurchaseLimit")
tp.CorporateClaims.CustomClaims.Add(ccPurchaseLimit)

'
' Account Stores
'
'
' - Active Directory
'
tp.TrustedAccountStores.NewActiveDirectoryStore()
tp.TrustedAccountStores.ActiveDirectory.TrustEntryDisplayName = "Active Directory"
'
' - AD Group Population
'
set adrPurchaseAgent = cf.CreateADGroupGeneration(crPurchaseAgent)
adrPurchaseAgent.Sids.Add("S-1-5-21-3081723463-1087348054-3379165843-1114") 'user
tp.TrustedAccountStores.ActiveDirectory.GroupGenerations.Add(adrPurchaseAgent)
set adrAuditor = cf.CreateADGroupGeneration(crAuditor)
adrAuditor.Sids.Add("S-1-5-21-3081723463-1087348054-3379165843-500") 'admin
tp.TrustedAccountStores.ActiveDirectory.GroupGenerations.Add(adrAuditor)

'
' - AD LDAP Claims
'
tp.TrustedAccountStores.ActiveDirectory.CreateLdapDirectory()
tp.TrustedAccountStores.ActiveDirectory.LdapDirectory.LdapClaimGeneration.EmailAttribute = "mail"
tp.TrustedAccountStores.ActiveDirectory.LdapDirectory.LdapClaimGeneration.CommonNameAttribute = "CN"
tp.TrustedAccountStores.ActiveDirectory.LdapDirectory.LdapClaimGeneration.CustomClaimLdapAttributes.Add(cf.CreateCustomClaimLdapAttribute(ccPurchaseLimit, "company"))

'
' Trusted Realms
'
'
' - Sample
'
set trSample = tp.NewTrustedRealm("urn:federation:sample", _
    "SAMPLE", _
    "https://contoso/sample/ls/", _
    0) 'RevocationFlags.None
trSample.VerificationMethod.AddNewTrustedCertificate("c:\websso\certs\contoso.cer")

set commonCnXform = CreateObject("System.Web.Security.SingleSignOn.CommonNameClaimTransform")
commonCnXform.PassThroughCommonName = true
trSample.ClaimTransformation.CommonNameClaimTransformation = commonCnXform

trSample.ClaimTransformation.UpnSuffixValidationTransform.SuffixList.Add("vtestdom.nttest.sample.com")
trSample.ClaimTransformation.EmailSuffixValidationTransform.SuffixList.Add("vtestdom.nttest.sample.com")

trSample.ClaimTransformation.GroupTransformations.Add(cf.CreateGroupClaimTransform(crPurchaseAgent, "PurchasingAgent"))
trSample.ClaimTransformation.GroupTransformations.Add(cf.CreateGroupClaimTransform(crAuditor, "Auditor"))

trSample.ClaimTransformation.CustomClaimTransformations.Add(cf.CreateCustomClaimTransform(ccPurchaseLimit, "PurchaseLimit"))

'
' Trusting Realms
'
'
' - Sample
'
set trTrusting = tp.NewTrustingRealm("urn:federation:trey research", _ 
    "Trey Research", _ 
    "https://trey/ls/") 

set commonSuffixXform = CreateObject("System.Web.Security.SingleSignOn.NameSuffixTransform")
commonSuffixXform.Suffix = "vtestdom.nttest.microsoft.com"
set commonCnXform = CreateObject("System.Web.Security.SingleSignOn.CommonNameClaimTransform")
commonCnXform.PassThroughCommonName = true

trTrusting.ClaimTransformation.UpnSuffixTransformation = commonSuffixXform
trTrusting.ClaimTransformation.EmailSuffixTransformation = commonSuffixXform
trTrusting.ClaimTransformation.CommonNameClaimTransformation = commonCnXform

trTrusting.ClaimTransformation.GroupTransformations.Add(cf.CreateGroupClaimTransform(crPurchaseAgent, "PurchasingAgent"))
trTrusting.ClaimTransformation.GroupTransformations.Add(cf.CreateGroupClaimTransform(crAuditor, "Auditor"))

trTrusting.ClaimTransformation.CustomClaimTransformations.Add(cf.CreateCustomClaimTransform(ccPurchaseLimit, "PurchaseLimit"))

'
' Applications
'
set app = tp.NewTrustingApplication("https://contoso", "SharePoint App")
'
' Claim Xform for App
'
app.ClaimTransformation.ClaimFilteringTransformation.AllowUpnClaim = true

set app = tp.NewTrustingApplication("https://contoso/simpleapp/simpleapp.aspx", "Simple App")
'
' Claim Xform for App
'
app.ClaimTransformation.ClaimFilteringTransformation.AllowUpnClaim = true
app.ClaimTransformation.ClaimFilteringTransformation.AllowEmailClaim = true
app.ClaimTransformation.ClaimFilteringTransformation.AllowCommonNameClaim = true
app.ClaimTransformation.ClaimFilteringTransformation.AllowedGroupClaimUuids.Add(crPurchaseAgent)
app.ClaimTransformation.ClaimFilteringTransformation.AllowedGroupClaimUuids.Add(crAuditor)
app.ClaimTransformation.ClaimFilteringTransformation.AllowedCustomClaimUuids.Add(ccPurchaseLimit)

WScript.StdOut.WriteLine("Outputting Trust Policy to SampleTrustPolicy.xml")
tp.Write("SampleTrustPolicy.xml")

Configure an Account Partner Federation Server

This script generates a Trust Policy file. It shows how to configure an account partner Federation server. Conventionally an account partner FS has an AD store, an optional Adam store and configuration information for one or more Resource partners.

Throughout this script, the name "adatumsts" represents a account partner and the name "treysts" represents a resource partner.

This script takes the following parameters:

The path to this FS's token signing certificate. You will need to have this certificate with private key in the Local Computer store for token signing to work.
The path of the LS client authentication certificate. This certificate is used by FS-Proxy to communicate with FS. This certificate need not be present in the certificate store of the FS machine.
The location (with the file name) where this trustpolicy file will be created. Give the complete path with the name of the file.

Option Explicit

Dim ArgObj, tokenSignCert, proxyCert, OutPath
Set ArgObj=WScript.Arguments
If ArgObj.Count <> 3 Then
    WScript.StdErr.WriteLine("Usage: accountPartnerFS.vbs tokenSignCert proxyCert OutputFilePath")
    WScript.Quit()
Else
    tokenSignCert = ArgObj.Item(0) 
    proxyCert = ArgObj.Item(1) 
    OutPath = ArgObj.Item(2)
End If

Dim trustPolicyObj        ' Trust policy factory
Dim claimsObj        ' Claim Factory
Dim trustPolicy        ' TrustPolicy

Dim corpGrpFormSubmitter, corpGrpFormApprover        ' Corporate Groups
Dim corpCustomPosition        'Corporate Custom Claims

Dim trustingRealmTrey

Dim adGroup1, adGroup2

Dim commonSuffixXform, commonCNXform

' Create Objects/Factory
set trustPolicyObj = CreateObject("System.Web.Security.SingleSignOn.TrustPolicyFactory")
set claimsObj = CreateObject("System.Web.Security.SingleSignOn.ClaimFactory")


' Create the TrustPolicy. This instance is used to configure the 
' trustpolicy file.
set trustPolicy = trustPolicyObj.CreateNewTrustPolicy(True,CheckChainExcludeRoot) ' initialize certs
trustPolicy.CookiePath="/adfs/ls"

' Hosted realm attributes
' This is the FS's URI. All FS's (one or more in case of a farm 
' scenario where many FS's share a trustpolicy file) using this 
' trustpolicy file should have unique URI.
trustPolicy.TrustPolicyEntryUri = "urn:federation:adatum"

' This is the Federation Service Endpoint URL. 
trustPolicy.LsUrl = "https://ADATUMSTS/adfs/ls/"

' This is the certificate that will be used by this FS for verifying 
' its own cookies.
trustPolicy.VerificationMethod.AddNewTrustedCertificate(tokenSignCert)

' This is certificate that is used in SSL authentication when a
' FS-Proxy talks to this FS.
trustPolicy.AddLSClientCertificate(proxyCert)

' Define Corporate Groups. Please read documentation to understand the 
' concept of corporate claims.
set corpGrpFormSubmitter = claimsObj.CreateGroup("Employee")
trustPolicy.CorporateClaims.GroupClaims.Add(corpGrpFormSubmitter)
set corpGrpFormApprover = claimsObj.CreateGroup("Manager")
trustPolicy.CorporateClaims.GroupClaims.Add(corpGrpFormApprover)

' Define Corporate Custom Claims. A custom claim is a name-value pair 
' entity.
set corpCustomPosition = claimsObj.CreateCustom("Position")
trustPolicy.CorporateClaims.CustomClaims.Add(corpCustomPosition)

' Active Directory Store. This is the AD store of the domain to which 
' this machine is joined.
trustPolicy.TrustedAccountStores.NewActiveDirectoryStore()
trustPolicy.TrustedAccountStores.ActiveDirectory.TrustEntryDisplayName = "AD Store"

' Active Directory Group Claims Population. Here we are mapping 
' corporate group claims (created above) to AD groups.
set adGroup1 = claimsObj.CreateADGroupGeneration(corpGrpFormSubmitter)
adGroup1.Sids.Add("S-1-1-0")
trustPolicy.TrustedAccountStores.ActiveDirectory.GroupGenerations.Add(adGroup1)

set adGroup2 = claimsObj.CreateADGroupGeneration(corpGrpFormApprover)
adGroup2.Sids.Add("S-1-5-11")
trustPolicy.TrustedAccountStores.ActiveDirectory.GroupGenerations.Add(adGroup2)

' Active Directory LDAP Claims. Mapping corporate claims to AD user 
' account's attributes.
trustPolicy.TrustedAccountStores.ActiveDirectory.CreateLdapDirectory()
trustPolicy.TrustedAccountStores.ActiveDirectory.LdapDirectory.LdapClaimGeneration.EmailAttribute = "mail"
trustPolicy.TrustedAccountStores.ActiveDirectory.LdapDirectory.LdapClaimGeneration.CommonNameAttribute = "displayName"
trustPolicy.TrustedAccountStores.ActiveDirectory.LdapDirectory.LdapClaimGeneration.CustomClaimLdapAttributes.Add(claimsObj.CreateCustomClaimLdapAttribute(corpCustomPosition, "Title"))

' Configuring an ADAM Store
set AdamStore = trustPolicy.TrustedAccountStores.NewAdamAccountStore("urn:federation:adam", _
    "ADAM Store", _
    "adatumadam", _
    "DC=adatum,DC=com", _
    389, _
    "userPrincipalName")

' ADAM LDAP Claims. Mapping corporate claims to ADAM store user 
' account's attributes.
AdamStore.LdapClaimGeneration.UPNAttribute = "userPrincipalName"
AdamStore.LdapClaimGeneration.EmailAttribute = "mail"
AdamStore.LdapClaimGeneration.CommonNameAttribute = "displayName"

' ADAM Group Claims Population. This is tricky. Please read 
' corresponding section in documentation to understand what is going 
' on here. Too much to explain in the script.
AdamStore.LdapClaimGeneration.GroupLdapAttributes.Add(claimsObj.CreateGroupLdapAttribute(corpGrpFormSubmitter, _
    "memberOf", _
    "CN=ADAMTestGroup1,CN=Users,DC=adatum,DC=com"))
AdamStore.LdapClaimGeneration.GroupLdapAttributes.Add(claimsObj.CreateGroupLdapAttribute(corpGrpFormApprover, _
    "memberOf", _
    "CN=ADAMTestGroup2,CN=Users,DC=adatum,DC=com"))
AdamStore.LdapClaimGeneration.CustomClaimLdapAttributes.Add(claimsObj.CreateCustomClaimLdapAttribute(corpCustomPosition, "title"))

' Trusting Realms. Configuring a resource partner for this FS. A 
' resource partner hosts web applications that the account partner's
' users can utilize.
' Resource partner consumes SAML tokens generated by the account 
' partner.
set trustingRealmTrey = trustPolicy.NewTrustingRealm("urn:federation:trey research", _
    "Trey Research", _
    "https://TREYSTS/adfs/ls/")

' This instance is used to set a standard suffix for the UPN or the 
' Email claim that is sent in a SAML token to the resource partner.
' The idea here is that your internal upn/email may be 
' user1@ntdev.windows.stb.microsoft.com but when a SAML token is sent 
' to the resource partner you want your upn/email to look like: 
' user1@microsoft.com.
' Similarly here we are replacing suffix of both upn and email with 
' "adatum.com".
set commonSuffixXform = CreateObject("System.Web.Security.SingleSignOn.NameSuffixTransform")
commonSuffixXform.Suffix = "adatum.com"

' Explicitly allowing corporate common name claim to be passed to the 
' resource partner.
set commonCNXform = CreateObject("System.Web.Security.SingleSignOn.CommonNameClaimTransform")
commonCNXform.PassThroughCommonName = false

' Applying the suffix replacement rule to both UPN claim as well as 
' Email claim.
trustingRealmTrey.ClaimTransformation.UpnSuffixTransformation = commonSuffixXform
trustingRealmTrey.ClaimTransformation.EmailSuffixTransformation = commonSuffixXform
trustingRealmTrey.ClaimTransformation.CommonNameClaimTransformation = commonCnXform

' Mapping corporate group claims to outgoing group claims. This means 
' corporate group claim: Employee (defined above) will be named 
' ClaimSubmitter in the SAML token that is sent to the resource 
' partner.
' Similarly corporate group claim: Manager will be named as
' ClaimApprover in the SAML token that is sent to the resource partner.
trustingRealmTrey.ClaimTransformation.GroupTransformations.Add(claimsObj.CreateGroupClaimTransform(corpGrpFormSubmitter,"ClaimSubmitter"))
trustingRealmTrey.ClaimTransformation.GroupTransformations.Add(claimsObj.CreateGroupClaimTransform(corpGrpFormApprover, "ClaimApprover"))

' Mapping corporate custom claim to outgoing custom claim.
' This means corporate custom claim: Position (defined above) will be 
' named ClaimApprover in the SAML token that is sent to the resource 
' partner.
trustingRealmTrey.ClaimTransformation.CustomClaimTransformations.Add(claimsObj.CreateCustomClaimTransform(corpCustomPosition, "Occupation"))

' We are done with our configuration. Writing the trustpolicy file.
trustPolicy.Write(OutPath)

Configure a Resource Partner Federation Server

This script generates a Trust Policy file. It shows how to configure a resource partner Federation Server. Conventionally a resource partner has information for one or more account partners and one or more trusting web applications configured in it.

Throughout this script, the name "adatumsts" represents an account partner and the name "treysts" represents a resource partner.

This script takes the following parameters:

The path to this FS's token signing certificate. You will need to have this cert with private key in the Local Computer store for token signing to work.
The path of the LS client authentication certificate. This certificate is used by FS-Proxy to communicate with FS. This certificate need not be present in the certificate store of the FS machine.
The location (with the file name) where this trustpolicy file will be created. Give the complete path with the name of the file.

Option Explicit

Dim ArgObj, tokenSignCert, proxyCert, fsaTokenVerificationCert, OutPath
Set ArgObj=WScript.Arguments
If ArgObj.Count <> 4 Then
    WScript.StdErr.WriteLine("Usage: resourcePartnerFS.vbs tokenSignCert proxyCert fsaTokenVerificationCert OutputFilePath")
    WScript.Quit()
Else
    tokenSignCert = ArgObj.Item(0) 
    proxyCert = ArgObj.Item(1) 
    fsaTokenVerificationCert = ArgObj.Item(2) 
    OutPath = ArgObj.Item(3)
End If

Dim trustPolicyObj        ' Trust policy factory
Dim claimsObj        ' Claim Factory
Dim trustPolicy        ' TrustPolicy

Dim corpGrpFormSubmitter, corpGrpFormApprover    ' Corporate Groups
Dim corpCustomPosition    ' Corporate Custom Claims

Dim trustedRealmAdatum    ' TrustedRealms

Dim app1,app2    ' TrustingApplications

Dim commonCNXform

' Create Objects/Factory
set trustPolicyObj = CreateObject("System.Web.Security.SingleSignOn.TrustPolicyFactory")
set claimsObj = CreateObject("System.Web.Security.SingleSignOn.ClaimFactory")

' Create the TrustPolicy. This instance is used to configure the 
' trustpolicy file.
set trustPolicy = trustPolicyObj.CreateNewTrustPolicy(True,CheckChainExcludeRoot) ' initialize certs
trustPolicy.CookiePath="/adfs/ls"

' Hosted realm attributes

' This is the FS's URI. All FS's (one or more in case of a farm 
' scenario where many FS's share a trustpolicy file) using this 
' trustpolicy file should have unique URI.
trustPolicy.TrustPolicyEntryUri = "urn:federation:trey research"

'This is Federation Service Endpoint URL.
trustPolicy.LsUrl = "https://TREYSTS/adfs/ls/"

' This is the certificate that will be used by this FS for verifying 
' it's own cookies.
trustPolicy.VerificationMethod.AddNewTrustedCertificate(tokenSignCert)

' This is certificate that is used in SSL authentication when a 
' FS-Proxy talks to this FS.
trustPolicy.AddLSClientCertificate(proxyCert)


' Define Corporate Groups. Please read documentation to understand the 
' concept of corporate claims.
set corpGrpFormSubmitter = claimsObj.CreateGroup("Form Submitter")
trustPolicy.CorporateClaims.GroupClaims.Add(corpGrpFormSubmitter)
set corpGrpFormApprover = claimsObj.CreateGroup("Form Approver")
trustPolicy.CorporateClaims.GroupClaims.Add(corpGrpFormApprover)

' Define Corporate Custom Claims. A custom claim is a name-value pair 
' entity.
set corpCustomPosition = claimsObj.CreateCustom("Profession")
trustPolicy.CorporateClaims.CustomClaims.Add(corpCustomPosition)

' Trusted Realms. This is configuration information for an account 
' partner FS.
set trustedRealmAdatum = trustPolicy.NewTrustedRealm("urn:federation:adatum", _
    "ADATUM", _
    "https://ADATUMSTS/adfs/ls/", _
    CheckChainExcludeRoot)
trustedRealmAdatum.VerificationMethod.AddNewTrustedCertificate(fsaTokenVerificationCert)

set commonCNXform = CreateObject("System.Web.Security.SingleSignOn.CommonNameClaimTransform")
commonCNXform.PassThroughCommonName = true

trustedRealmAdatum.ClaimTransformation.CommonNameClaimTransformation = commonCNXform

' FS will check that a UPN that comes in the SAML token from the 
' account partner has this suffix. If the suffix does not match 
' then the token will be rejected by the FS. However in case of 
' successful Group-To-UPN mapping this rule will be ignored.
trustedRealmAdatum.ClaimTransformation.UpnSuffixValidationTransform.SuffixList.Add("adatum.com")

' Similarly if Email claim is the primary identity claim in the token 
' and the email suffix does not match then FS will reject this token. 
' However in case of successful Group-To-UPN mapping this rule will be 
' ignored.
trustedRealmAdatum.ClaimTransformation.EmailSuffixValidationTransform.SuffixList.Add("adatum.com")

' Mapping incoming group claims to corporate group claims. Mapping 
' group claim ClaimSubmitter (sent in the token by the account partner) 
' to corporate group claim: Form Submitter
trustedRealmAdatum.ClaimTransformation.GroupTransformations.Add(claimsObj.CreateGroupClaimTransform(corpGrpFormSubmitter, "ClaimSubmitter"))

' Similarly mapping group claim ClaimApprover(sent in the token by the 
' account partner) to corporate group claim: Form Approver.
trustedRealmAdatum.ClaimTransformation.GroupTransformations.Add(claimsObj.CreateGroupClaimTransform(corpGrpFormApprover, "ClaimApprover"))

' Mapping incoming custom claim to corporate custom claim. Mapping 
' custom claim Occupation (sent in the token by the account partner) 
' to corporate custom claim: Profession.
trustedRealmAdatum.ClaimTransformation.CustomClaimTransformations.Add(claimsObj.CreateCustomClaimTransform(corpCustomPosition, "Occupation"))

' Doing Group to UPN claim transformation. Please read documentation to 
' understand the concept of Group-To-UPN transformation.
trustedRealmAdatum.ClaimTransformation.GroupToUpnClaimTransformations.Add(claimsObj.CreateGroupToUpnClaimTransform("ClaimApprover","approver@trey.com"))
trustedRealmAdatum.ClaimTransformation.GroupToUpnClaimTransformations.Add(claimsObj.CreateGroupToUpnClaimTransform("ClaimSubmitter","submitter@trey.com"))


'Configuring a claims aware trusting web application.
set app1 = trustPolicy.NewTrustingApplication("https://WebAppMachine/simpleapp/", "Sample Claims aware web application")
app1.IsWindowsRealm = false

' Here we specify which corporate claims are configured to be passed to 
' this web app.
app1.ClaimTransformation.ClaimFilteringTransformation.AllowUpnClaim = true
app1.ClaimTransformation.ClaimFilteringTransformation.AllowEmailClaim = true
app1.ClaimTransformation.ClaimFilteringTransformation.AllowCommonNameClaim = true
app1.ClaimTransformation.ClaimFilteringTransformation.AllowedGroupClaimUuids.Add(corpGrpFormSubmitter)
app1.ClaimTransformation.ClaimFilteringTransformation.AllowedGroupClaimUuids.Add(corpGrpFormApprover)
app1.ClaimTransformation.ClaimFilteringTransformation.AllowedCustomClaimUuids.Add(corpCustomPosition)

'Configuring a traditional ASP web application.
set app2 = trustPolicy.NewTrustingApplication("https://WebAppMachine/nttokenapp/", "Sample NT token web application")
app2.IsWindowsRealm = true
app2.ClaimTransformation.ClaimFilteringTransformation.AllowUpnClaim = true
app2.ClaimTransformation.ClaimFilteringTransformation.AllowEmailClaim = true
app2.ClaimTransformation.ClaimFilteringTransformation.AllowCommonNameClaim = true
app2.ClaimTransformation.ClaimFilteringTransformation.AllowedGroupClaimUuids.Add(corpGrpFormSubmitter)
app2.ClaimTransformation.ClaimFilteringTransformation.AllowedGroupClaimUuids.Add(corpGrpFormApprover)
app2.ClaimTransformation.ClaimFilteringTransformation.AllowedCustomClaimUuids.Add(corpCustomPosition)

' We are done with our configuration. Writing the trustpolicy file.
trustPolicy.Write(OutPath)

Add ADAM Account Stores to a Trust Policy File

This script adds ADAM Account Stores to a Trust Policy file.

It takes the following parameters:

The Trust Policy file to modify.
The number of ADAM Account Stores to add.
The new Trust Policy file to create.

Dim args, urnname, dispname
Dim tpFactory, tpFile, tp, outFile
Dim port
Set args=WScript.Arguments

If args.Count <> 3 Then
    WScript.Echo("This script adds ADAM Account Stores to a Trust Policy file.")
    WScript.Echo("")
    WScript.Echo("Parameters: {input file} {quantity} {output file}")
    WScript.Quit()
Else
    tpFile = args.Item(0)
    qty = args.Item(1)
    outFile = args.Item(2)
End If

' Create Objects/Factory
set tpFactory = CreateObject("System.Web.Security.SingleSignOn.TrustPolicyFactory")

' Open the TrustPolicy
set tp = tpFactory.Load(tpFile, true) ' initialize certs
if (tp = null) Then
    WScript.Echo("Error loading Trust Policy file")
    WScript.Quit()
End If

' Create ADAM Account Stores
For i=1 To qty
    urnname = "urn:federation:adam-" & i
    dispname = "ADAM Store #" & i
    port = 389 + i 

    set AdamStore = tp.TrustedAccountStores.NewAdamAccountStore( _
        urnname, dispname, "adatumadam", "DC=adatum,DC=com", port, "userPrincipalName")

    ' ADAM LDAP Claims                                                            
    AdamStore.LdapClaimGeneration.UPNAttribute = "userPrincipalName"
    AdamStore.LdapClaimGeneration.EmailAttribute = "mail"
    AdamStore.LdapClaimGeneration.CommonNameAttribute = "displayName"
Next

tp.Write(outFile)

Add Resource Partners to a Trust Policy File

This script adds resource partners to a Trust Policy file.

It takes the following parameters:

The Trust Policy file to modify.
The number of resource partners to add.
The new Trust Policy file to create.

Dim args, urnname, dispname, res
Dim tpFactory, tpFile, tp, outFile

Set args=WScript.Arguments

If args.Count <> 3 Then
    WScript.Echo("This script adds Resource Partners to a Trust Policy file.")
    WScript.Echo("")
    WScript.Echo("Parameters: {input file} {quantity} {output file}")
    WScript.Quit()
Else
    tpFile = args.Item(0)
    qty = args.Item(1)
    outFile = args.Item(2)
End If

' Create Objects/Factory
set tpFactory = CreateObject("System.Web.Security.SingleSignOn.TrustPolicyFactory")

' Open the TrustPolicy
set tp = tpFactory.Load(tpFile, true) ' initialize certs
if (tp = null) Then
    WScript.Echo("Error loading Trust Policy file")
    WScript.Quit()
End If

' Create Resource Partners
For i=0 To qty-1
    urnname = "urn:federation:adfsstrs_rp_" & i
    dispname = "Resource #" & i
    set res = tp.NewTrustingRealm(urnname, dispname, "https://adfsstrs_rp_" & i & "/adfs/ls/ClientLogon.aspx")

    ' Resource Partner Claims 
    res.ClaimTransformation.UpnSuffixTransformation.Suffix = "adfsstrs_rp_" & i & ".com"
    res.ClaimTransformation.EmailSuffixTransformation.Suffix = "adfsstrs_rp_" & i & ".com"
Next

tp.Write(outFile)

Modify Realm Cookie Lifetime

The following script modifies a Trust Policy file by changing the realm cookie lifetime that is written by the resource Federation Server to a persistent cookie.

It takes the following parameters:

The Trust Policy file to modify.
The new realm cookie lifetime in days.

' VBScript source code

Option Explicit

Dim tpf ' Trust policy factory
Dim tp ' TrustPolicy
Dim filename ' Trust policy filename
Dim lifetime ' Realm lifetime in days
Dim args

Set args=WScript.Arguments

if args.Count < 2 then
    WScript.Echo("Must specify Trust Policy file and realm cookie lifetime in days")
    WScript.Quit
end if

filename = args.Item(0)
lifetime = CInt(args.Item(1))

'
' Create factory
'
set tpf = CreateObject("System.Web.Security.SingleSignOn.TrustPolicyFactory")

'
' Create the TrustPolicy
'
set tp = tpf.Load(filename, False) ' filename, don't initialize certs

'
' Hosted realm attributes
'
tp.RealmCookieLifetimeInDays = lifetime

tp.Write(filename)

WScript.Echo(filename & " has been updated for a realm cookie lifetime of " & lifetime & " days.")

Modify Revocation Check Settings

This script modifies a Trust Policy file by changing the revocation checking behavior used by ADFS to validate tokens. The revocation flags include:

How the FS validates its own tokens and how the web applications validate tokens issued by the FS-R (configured on this Federation Service)
How the FS-R validates tokens from each different FS-A (configured on the Account partner)

This script takes the following parameters:

The full path to the Trust Policy file.
The URI of the trust realm whose setting to change.
A revocation flag that must be one of the following:
- None
- CheckEndCert
- CheckEndCertCacheOnly
- CheckChain
- CheckChainCacheOnly
- CheckChainExcludeRoot
- CheckChainExcludeRootCacheOnly

Option Explicit

Dim tpf ' Trust policy factory
Dim cf ' Claim Factory

Dim tpFileName ' Trust policy file name
Dim trUri ' TrustRealm Uri
Dim revFlagsStr ' RevocationFlags enum in string form

Dim tp ' TrustPolicy
Dim tr ' TrustedRealm
Dim revFlags' RevocationFlags enum
Dim found ' Did we find the realm in the Trust Policy?

'----------------------------------------
' Echo usage.
'----------------------------------------
Sub Usage()
    WScript.StdErr.WriteLine("Usage:")
    WScript.StdErr.WriteLine("TpCrlChk.vbs TrustPolicy.xml TrustRealmUri RevocationFlags")
    WScript.Quit
End Sub

'----------------------------------------
' Fetch the RevocationFlags enum value.
'----------------------------------------
Function GetRevFlags(revFlagsStr)
    If (revFlagsStr = "None") Then
        GetRevFlags = 0
    ElseIf (revFlagsStr = "CheckEndCert") Then
        GetRevFlags = 1
    ElseIf (revFlagsStr = "CheckEndCertCacheOnly") Then
        GetRevFlags = 2
    ElseIf (revFlagsStr = "CheckChain") Then
        GetRevFlags = 3
    ElseIf (revFlagsStr = "CheckChainCacheOnly") Then
        GetRevFlags = 4
    ElseIf (revFlagsStr = "CheckChainExcludeRoot") Then
        GetRevFlags = 5
    ElseIf (revFlagsStr = "CheckChainExcludeRootCacheOnly") Then
        GetRevFlags = 6
    Else
        Call Usage()
    End If
End Function

'----------------------------------------
' Get the parameters.
'----------------------------------------

Dim ArgObj
Set ArgObj = WScript.Arguments

If (ArgObj.Count < 3) Then
    Call Usage()
End If

tpFileName = ArgObj.Item (0)
trUri = ArgObj.Item(1)
revFlags = GetRevFlags(ArgObj.Item(2))

'----------------------------------------
' Do the job.
'----------------------------------------

WScript.StdOut.WriteLine("Loading Trust Policy: " & tpFileName)

'
' Create factories
'
Set tpf = CreateObject("System.Web.Security.SingleSignOn.TrustPolicyFactory")
Set cf = CreateObject("System.Web.Security.SingleSignOn.ClaimFactory")

'
' Load the TrustPolicy
'
Set tp = tpf.Load(tpFileName, 0) ' initialize certs = false

'
' Find the realm and set the revocation flags
'
found = 0
If (tp.TrustPolicyEntryUri = trUri) Then
    '
    ' Hosted realm attributes
    '
    WScript.StdOut.WriteLine("Changing the setting for this Federation service: " & trUri)
    found = 1
    tp.VerificationMethod.RevocationCheckFlags = revFlags
Else
    '
    ' Trusted Realms
    '
    For Each tr in tp.TrustedRealms
        If (tr.TrustPolicyEntryUri = trUri) Then
            WScript.StdOut.WriteLine("Changing the setting for this Account partner: " & trUri)
            found = 1
            tr.VerificationMethod.RevocationCheckFlags = revFlags
            Exit For 'since the Uri is unique
        End If
    Next

    If (found = 0) Then
        WScript.StdErr.WriteLine("Error: " & trUri & " is neither this Federation Service nor an Account partner.")
        WScript.Quit
    End If
End If

'----------------------------------------
' Save the TrustPolicy
'----------------------------------------
WScript.StdOut.Write("Saving changed Trust Policy...")

tp.Write(tpFileName)

WScript.StdOut.WriteLine("Done.")