AdfsDsc: Update Help and Example Files (#68)

X-Guardian · Apr 21, 2023 · e4f22cf · e4f22cf
1 parent 9266584
commit e4f22cf
Show file tree

Hide file tree

Showing 15 changed files with 124 additions and 30 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- AdfsDsc
+  - Updated the Help and Example files.
+
 ## [1.3.1] - 2023-04-19
 
 ### Fixed

diff --git a/...SCResources/MSFT_AdfsApplicationPermission/en-US/about_AdfsApplicationPermission.help.txt b/...SCResources/MSFT_AdfsApplicationPermission/en-US/about_AdfsApplicationPermission.help.txt
@@ -32,7 +32,7 @@
 
 .EXAMPLE 1
 
-This configuration will grant application permission in Active Directory Federation Services (AD FS).
+This configuration will grant an application permission in Active Directory Federation Services (AD FS).
 
 Configuration AdfsApplicationPermission_Config
 {
@@ -42,8 +42,8 @@ Configuration AdfsApplicationPermission_Config
     {
         AdfsApplicationPermission AppPermission1
         {
-            ClientRoleIdentifier = 'e7bfb303-c5f6-4028-a360-b6293d41338c'
-            ServerRoleIdentifier = 'e7bfb303-c5f6-4028-a360-b6293d41338c'
+            ClientRoleIdentifier = '168f3ee4-63fc-4723-a61a-6473f6cb515c'
+            ServerRoleIdentifier = 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope'
             Description          = "This is the AppPermission1 Description"
             ScopeNames           = 'openid'
         }

diff --git a/...s/MSFT_AdfsGlobalAuthenticationPolicy/en-US/about_AdfsGlobalAuthenticationPolicy.help.txt b/...s/MSFT_AdfsGlobalAuthenticationPolicy/en-US/about_AdfsGlobalAuthenticationPolicy.help.txt
@@ -49,7 +49,7 @@
 
 .EXAMPLE 1
 
-This configuration will ...
+This configuration will set the global authentication policy for the ADFS service.
 
 Configuration AdfsGlobalAuthenticationPolicy_Config
 {

diff --git a/source/DSCResources/MSFT_AdfsGlobalWebContent/en-US/about_AdfsGlobalWebContent.help.txt b/source/DSCResources/MSFT_AdfsGlobalWebContent/en-US/about_AdfsGlobalWebContent.help.txt
@@ -95,7 +95,7 @@
 
 .EXAMPLE 1
 
-This configuration will the company name of the global web content for the invariant locale. If there is no
+This configuration will set the company name of the global web content for the invariant locale. If there is no
 logo, the sign-in page displays the company name Contoso.
 
 Configuration AdfsGlobalWebContent_CompanyName_Config

diff --git a/source/DSCResources/MSFT_AdfsProperties/en-US/about_AdfsProperties.help.txt b/source/DSCResources/MSFT_AdfsProperties/en-US/about_AdfsProperties.help.txt
@@ -261,7 +261,7 @@
 
 .EXAMPLE 1
 
-This configuration will ...
+This configuration will set the Extranet Lockout properties on the ADFS service.
 
 Configuration AdfsProperties_Config
 {

diff --git a/source/DSCResources/MSFT_AdfsWebApiApplication/en-US/about_AdfsWebApiApplication.help.txt b/source/DSCResources/MSFT_AdfsWebApiApplication/en-US/about_AdfsWebApiApplication.help.txt
@@ -94,7 +94,7 @@
 
 .EXAMPLE 1
 
-This configuration will add a Web API application role to an application in Active Directory Federation
+This configuration will add a Web API application to an application group in Active Directory Federation
 Services (AD FS).
 
 Configuration AdfsWebApiApplication_Config
@@ -105,6 +105,12 @@ Configuration AdfsWebApiApplication_Config
 
     Node localhost
     {
+        AdfsApplicationGroup AppGroup1
+        {
+            Name        = 'AppGroup1'
+            Description = "This is the AppGroup1 Description"
+        }
+
         AdfsWebApiApplication WebApiApp1
         {
             Name                                 = 'AppGroup1 - Web API'
@@ -125,8 +131,8 @@ Configuration AdfsWebApiApplication_Config
 
 .EXAMPLE 2
 
-This configuration will add a Web API application role to an application in Active Directory Federation
-Services (AD FS).
+This configuration will add a Web API application with an LDAP Claims Issuance Transform rule to an application group
+in Active Directory Federation Services (AD FS).
 
 Configuration AdfsWebApiApplication_LdapClaims_IssuanceTransformRules_Config
 {
@@ -136,6 +142,12 @@ Configuration AdfsWebApiApplication_LdapClaims_IssuanceTransformRules_Config
 
     Node localhost
     {
+        AdfsApplicationGroup AppGroup1
+        {
+            Name        = 'AppGroup1'
+            Description = "This is the AppGroup1 Description"
+        }
+
         AdfsWebApiApplication WebApiApp1
         {
             Name                          = 'AppGroup1 - Web API'
@@ -176,8 +188,8 @@ Configuration AdfsWebApiApplication_LdapClaims_IssuanceTransformRules_Config
 
 .EXAMPLE 3
 
-This configuration will add a Web API application role to an application in Active Directory Federation
-Services (AD FS).
+This configuration will add a Web API application with an Emit Group Claims Issuance Transform rule to an application
+group in Active Directory Federation Services (AD FS).
 
 Configuration AdfsWebApiApplication_EmitGroupClaims_IssuanceTransformRules_Config
 {
@@ -187,6 +199,12 @@ Configuration AdfsWebApiApplication_EmitGroupClaims_IssuanceTransformRules_Confi
 
     Node localhost
     {
+        AdfsApplicationGroup AppGroup1
+        {
+            Name        = 'AppGroup1'
+            Description = "This is the AppGroup1 Description"
+        }
+
         AdfsWebApiApplication WebApiApp1
         {
             Name                          = 'AppGroup1 - Web API'
@@ -217,8 +235,8 @@ Configuration AdfsWebApiApplication_EmitGroupClaims_IssuanceTransformRules_Confi
 
 .EXAMPLE 4
 
-This configuration will add a Web API application role to an application in Active Directory Federation
-Services (AD FS).
+This configuration will add a Web API application with a Custom Claims Issuance Transform rule to an application group
+in Active Directory Federation Services (AD FS).
 
 Configuration AdfsWebApiApplication_CustomClaims_IssuanceTransformRules_Config
 {
@@ -228,6 +246,12 @@ Configuration AdfsWebApiApplication_CustomClaims_IssuanceTransformRules_Config
 
     Node localhost
     {
+        AdfsApplicationGroup AppGroup1
+        {
+            Name        = 'AppGroup1'
+            Description = "This is the AppGroup1 Description"
+        }
+
         AdfsWebApiApplication WebApiApp1
         {
             Name                          = 'AppGroup1 - Web API'
@@ -247,11 +271,46 @@ Configuration AdfsWebApiApplication_CustomClaims_IssuanceTransformRules_Config
                 {
                     TemplateName = 'CustomClaims'
                     Name         = 'App1 Custom Claim'
-                    CustomRule   = 'TBC'
+                    CustomRule   = 'c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query = ";givenName;{0}", param = c.Value);'
                 }
             )
         }
     }
 }
 
+.EXAMPLE 5
+
+This configuration will add a Web API application with an access control policy parameters to an application group in
+Active Directory Federation Services (AD FS).
 
+Configuration AdfsWebApiApplication_AccessControlPolicyParameters_Config
+{
+    param()
+
+    Import-DscResource -ModuleName AdfsDsc
+
+    Node localhost
+    {
+        AdfsApplicationGroup AppGroup1
+        {
+            Name        = 'AppGroup1'
+            Description = "This is the AppGroup1 Description"
+        }
+
+        AdfsWebApiApplication WebApiApp1
+        {
+            Name                          = 'AppGroup1 - Web API'
+            ApplicationGroupIdentifier    = 'AppGroup1'
+            Identifier                    = 'e7bfb303-c5f6-4028-a360-b6293d41338c'
+            Description                   = 'App1 Web Api'
+            AccessControlPolicyName       = 'Permit specific group'
+            AccessControlPolicyParameters = MSFT_AdfsAccessControlPolicyParameters
+            {
+                GroupParameter = @(
+                    'CONTOSO\AppGroup1 Users'
+                    'CONTOSO\AppGroup1 Admins'
+                )
+            }
+        }
+    }
+}
diff --git a/source/Examples/Resources/AdfsApplicationPermission/1-AdfsApplicationPermission_Config.ps1 b/source/Examples/Resources/AdfsApplicationPermission/1-AdfsApplicationPermission_Config.ps1
@@ -19,7 +19,7 @@
 
 <#
     .DESCRIPTION
-        This configuration will grant application permission in Active Directory Federation Services (AD FS).
+        This configuration will grant an application permission in Active Directory Federation Services (AD FS).
 #>
 
 Configuration AdfsApplicationPermission_Config
@@ -30,8 +30,8 @@ Configuration AdfsApplicationPermission_Config
     {
         AdfsApplicationPermission AppPermission1
         {
-            ClientRoleIdentifier = 'e7bfb303-c5f6-4028-a360-b6293d41338c'
-            ServerRoleIdentifier = 'e7bfb303-c5f6-4028-a360-b6293d41338c'
+            ClientRoleIdentifier = '168f3ee4-63fc-4723-a61a-6473f6cb515c'
+            ServerRoleIdentifier = 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope'
             Description          = "This is the AppPermission1 Description"
             ScopeNames           = 'openid'
         }

diff --git a/...ples/Resources/AdfsGlobalAuthenticationPolicy/1-AdfsGlobalAuthenticationPolicy_Config.ps1 b/...ples/Resources/AdfsGlobalAuthenticationPolicy/1-AdfsGlobalAuthenticationPolicy_Config.ps1
@@ -19,7 +19,7 @@
 
 <#
     .DESCRIPTION
-        This configuration will ...
+        This configuration will set the global authentication policy for the ADFS service.
 #>
 
 Configuration AdfsGlobalAuthenticationPolicy_Config

diff --git a/source/Examples/Resources/AdfsGlobalWebContent/1-AdfsGlobalWebContent_CompanyName_Config.ps1 b/source/Examples/Resources/AdfsGlobalWebContent/1-AdfsGlobalWebContent_CompanyName_Config.ps1
@@ -19,7 +19,7 @@
 
 <#
     .DESCRIPTION
-        This configuration will the company name of the global web content for the invariant locale. If there is no
+        This configuration will set the company name of the global web content for the invariant locale. If there is no
         logo, the sign-in page displays the company name Contoso.
 #>
 

diff --git a/source/Examples/Resources/AdfsProperties/1-AdfsProperties_Config.ps1 b/source/Examples/Resources/AdfsProperties/1-AdfsProperties_Config.ps1
@@ -19,7 +19,7 @@
 
 <#
     .DESCRIPTION
-        This configuration will ...
+        This configuration will set the Extranet Lockout properties on the ADFS service.
 #>
 
 Configuration AdfsProperties_Config

diff --git a/source/Examples/Resources/AdfsWebApiApplication/1-AdfsWebApiApplication_Config.ps1 b/source/Examples/Resources/AdfsWebApiApplication/1-AdfsWebApiApplication_Config.ps1
@@ -19,7 +19,7 @@
 
 <#
     .DESCRIPTION
-        This configuration will add a Web API application role to an application in Active Directory Federation
+        This configuration will add a Web API application to an application group in Active Directory Federation
         Services (AD FS).
 #>
 
@@ -31,6 +31,12 @@ Configuration AdfsWebApiApplication_Config
 
     Node localhost
     {
+        AdfsApplicationGroup AppGroup1
+        {
+            Name        = 'AppGroup1'
+            Description = "This is the AppGroup1 Description"
+        }
+
         AdfsWebApiApplication WebApiApp1
         {
             Name                          = 'AppGroup1 - Web API'

diff --git a/...dfsWebApiApplication/2-AdfsWebApiApplication_LdapClaims_IssuanceTransformRules_Config.ps1 b/...dfsWebApiApplication/2-AdfsWebApiApplication_LdapClaims_IssuanceTransformRules_Config.ps1
@@ -19,8 +19,8 @@
 
 <#
     .DESCRIPTION
-        This configuration will add a Web API application role to an application in Active Directory Federation
-        Services (AD FS).
+        This configuration will add a Web API application with an LDAP Claims Issuance Transform rule to an application
+        group in Active Directory Federation Services (AD FS).
 #>
 
 Configuration AdfsWebApiApplication_LdapClaims_IssuanceTransformRules_Config
@@ -31,6 +31,12 @@ Configuration AdfsWebApiApplication_LdapClaims_IssuanceTransformRules_Config
 
     Node localhost
     {
+        AdfsApplicationGroup AppGroup1
+        {
+            Name        = 'AppGroup1'
+            Description = "This is the AppGroup1 Description"
+        }
+
         AdfsWebApiApplication WebApiApp1
         {
             Name                          = 'AppGroup1 - Web API'

diff --git a/...bApiApplication/3-AdfsWebApiApplication_EmitGroupClaims_IssuanceTransformRules_Config.ps1 b/...bApiApplication/3-AdfsWebApiApplication_EmitGroupClaims_IssuanceTransformRules_Config.ps1
@@ -19,8 +19,8 @@
 
 <#
     .DESCRIPTION
-        This configuration will add a Web API application role to an application in Active Directory Federation
-        Services (AD FS).
+        This configuration will add a Web API application with an Emit Group Claims Issuance Transform rule to an
+        application group in Active Directory Federation Services (AD FS).
 #>
 
 Configuration AdfsWebApiApplication_EmitGroupClaims_IssuanceTransformRules_Config
@@ -31,6 +31,12 @@ Configuration AdfsWebApiApplication_EmitGroupClaims_IssuanceTransformRules_Confi
 
     Node localhost
     {
+        AdfsApplicationGroup AppGroup1
+        {
+            Name        = 'AppGroup1'
+            Description = "This is the AppGroup1 Description"
+        }
+
         AdfsWebApiApplication WebApiApp1
         {
             Name                          = 'AppGroup1 - Web API'

diff --git a/...sWebApiApplication/4-AdfsWebApiApplication_CustomClaims_IssuanceTransformRules_Config.ps1 b/...sWebApiApplication/4-AdfsWebApiApplication_CustomClaims_IssuanceTransformRules_Config.ps1
@@ -19,8 +19,8 @@
 
 <#
     .DESCRIPTION
-        This configuration will add a Web API application role to an application in Active Directory Federation
-        Services (AD FS).
+        This configuration will add a Web API application with a Custom Claims Issuance Transform rule to an
+        application group in Active Directory Federation Services (AD FS).
 #>
 
 Configuration AdfsWebApiApplication_CustomClaims_IssuanceTransformRules_Config
@@ -31,6 +31,12 @@ Configuration AdfsWebApiApplication_CustomClaims_IssuanceTransformRules_Config
 
     Node localhost
     {
+        AdfsApplicationGroup AppGroup1
+        {
+            Name        = 'AppGroup1'
+            Description = "This is the AppGroup1 Description"
+        }
+
         AdfsWebApiApplication WebApiApp1
         {
             Name                          = 'AppGroup1 - Web API'
@@ -50,7 +56,7 @@ Configuration AdfsWebApiApplication_CustomClaims_IssuanceTransformRules_Config
                 {
                     TemplateName = 'CustomClaims'
                     Name         = 'App1 Custom Claim'
-                    CustomRule   = 'TBC'
+                    CustomRule   = 'c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query = ";givenName;{0}", param = c.Value);'
                 }
             )
         }

diff --git a/...es/AdfsWebApiApplication/5-AdfsWebApiApplication_AccessControlPolicyParameters_Config.ps1 b/...es/AdfsWebApiApplication/5-AdfsWebApiApplication_AccessControlPolicyParameters_Config.ps1
@@ -19,8 +19,8 @@
 
 <#
     .DESCRIPTION
-        This configuration will add a Web API application role with access control policy parameters to an application
-        in Active Directory Federation Services (AD FS).
+        This configuration will add a Web API application with an access control policy parameters to an application
+        group in Active Directory Federation Services (AD FS).
 #>
 
 Configuration AdfsWebApiApplication_AccessControlPolicyParameters_Config
@@ -31,6 +31,12 @@ Configuration AdfsWebApiApplication_AccessControlPolicyParameters_Config
 
     Node localhost
     {
+        AdfsApplicationGroup AppGroup1
+        {
+            Name        = 'AppGroup1'
+            Description = "This is the AppGroup1 Description"
+        }
+
         AdfsWebApiApplication WebApiApp1
         {
             Name                          = 'AppGroup1 - Web API'