From e4f22cffcac1eb831815870278ab5a77e28e7789 Mon Sep 17 00:00:00 2001 From: Simon Heather <32168619+X-Guardian@users.noreply.github.com> Date: Fri, 21 Apr 2023 10:17:39 +0100 Subject: [PATCH] AdfsDsc: Update Help and Example Files (#68) --- CHANGELOG.md | 5 ++ .../about_AdfsApplicationPermission.help.txt | 6 +- ...ut_AdfsGlobalAuthenticationPolicy.help.txt | 2 +- .../en-US/about_AdfsGlobalWebContent.help.txt | 2 +- .../en-US/about_AdfsProperties.help.txt | 2 +- .../about_AdfsWebApiApplication.help.txt | 75 +++++++++++++++++-- .../1-AdfsApplicationPermission_Config.ps1 | 6 +- ...-AdfsGlobalAuthenticationPolicy_Config.ps1 | 2 +- ...dfsGlobalWebContent_CompanyName_Config.ps1 | 2 +- .../1-AdfsProperties_Config.ps1 | 2 +- .../1-AdfsWebApiApplication_Config.ps1 | 8 +- ...apClaims_IssuanceTransformRules_Config.ps1 | 10 ++- ...upClaims_IssuanceTransformRules_Config.ps1 | 10 ++- ...omClaims_IssuanceTransformRules_Config.ps1 | 12 ++- ...n_AccessControlPolicyParameters_Config.ps1 | 10 ++- 15 files changed, 124 insertions(+), 30 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 058da92..bc84ead 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Changed + +- AdfsDsc + - Updated the Help and Example files. + ## [1.3.1] - 2023-04-19 ### Fixed diff --git a/source/DSCResources/MSFT_AdfsApplicationPermission/en-US/about_AdfsApplicationPermission.help.txt b/source/DSCResources/MSFT_AdfsApplicationPermission/en-US/about_AdfsApplicationPermission.help.txt index a5351e2..d881a00 100644 --- a/source/DSCResources/MSFT_AdfsApplicationPermission/en-US/about_AdfsApplicationPermission.help.txt +++ b/source/DSCResources/MSFT_AdfsApplicationPermission/en-US/about_AdfsApplicationPermission.help.txt @@ -32,7 +32,7 @@ .EXAMPLE 1 -This configuration will grant application permission in Active Directory Federation Services (AD FS). +This configuration will grant an application permission in Active Directory Federation Services (AD FS). Configuration AdfsApplicationPermission_Config { @@ -42,8 +42,8 @@ Configuration AdfsApplicationPermission_Config { AdfsApplicationPermission AppPermission1 { - ClientRoleIdentifier = 'e7bfb303-c5f6-4028-a360-b6293d41338c' - ServerRoleIdentifier = 'e7bfb303-c5f6-4028-a360-b6293d41338c' + ClientRoleIdentifier = '168f3ee4-63fc-4723-a61a-6473f6cb515c' + ServerRoleIdentifier = 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' Description = "This is the AppPermission1 Description" ScopeNames = 'openid' } diff --git a/source/DSCResources/MSFT_AdfsGlobalAuthenticationPolicy/en-US/about_AdfsGlobalAuthenticationPolicy.help.txt b/source/DSCResources/MSFT_AdfsGlobalAuthenticationPolicy/en-US/about_AdfsGlobalAuthenticationPolicy.help.txt index 238b475..3ca7baa 100644 --- a/source/DSCResources/MSFT_AdfsGlobalAuthenticationPolicy/en-US/about_AdfsGlobalAuthenticationPolicy.help.txt +++ b/source/DSCResources/MSFT_AdfsGlobalAuthenticationPolicy/en-US/about_AdfsGlobalAuthenticationPolicy.help.txt @@ -49,7 +49,7 @@ .EXAMPLE 1 -This configuration will ... +This configuration will set the global authentication policy for the ADFS service. Configuration AdfsGlobalAuthenticationPolicy_Config { diff --git a/source/DSCResources/MSFT_AdfsGlobalWebContent/en-US/about_AdfsGlobalWebContent.help.txt b/source/DSCResources/MSFT_AdfsGlobalWebContent/en-US/about_AdfsGlobalWebContent.help.txt index fde1f22..a901b54 100644 --- a/source/DSCResources/MSFT_AdfsGlobalWebContent/en-US/about_AdfsGlobalWebContent.help.txt +++ b/source/DSCResources/MSFT_AdfsGlobalWebContent/en-US/about_AdfsGlobalWebContent.help.txt @@ -95,7 +95,7 @@ .EXAMPLE 1 -This configuration will the company name of the global web content for the invariant locale. If there is no +This configuration will set the company name of the global web content for the invariant locale. If there is no logo, the sign-in page displays the company name Contoso. Configuration AdfsGlobalWebContent_CompanyName_Config diff --git a/source/DSCResources/MSFT_AdfsProperties/en-US/about_AdfsProperties.help.txt b/source/DSCResources/MSFT_AdfsProperties/en-US/about_AdfsProperties.help.txt index 9f4632b..477cd9a 100644 --- a/source/DSCResources/MSFT_AdfsProperties/en-US/about_AdfsProperties.help.txt +++ b/source/DSCResources/MSFT_AdfsProperties/en-US/about_AdfsProperties.help.txt @@ -261,7 +261,7 @@ .EXAMPLE 1 -This configuration will ... +This configuration will set the Extranet Lockout properties on the ADFS service. Configuration AdfsProperties_Config { diff --git a/source/DSCResources/MSFT_AdfsWebApiApplication/en-US/about_AdfsWebApiApplication.help.txt b/source/DSCResources/MSFT_AdfsWebApiApplication/en-US/about_AdfsWebApiApplication.help.txt index 9bf78d6..9add91f 100644 --- a/source/DSCResources/MSFT_AdfsWebApiApplication/en-US/about_AdfsWebApiApplication.help.txt +++ b/source/DSCResources/MSFT_AdfsWebApiApplication/en-US/about_AdfsWebApiApplication.help.txt @@ -94,7 +94,7 @@ .EXAMPLE 1 -This configuration will add a Web API application role to an application in Active Directory Federation +This configuration will add a Web API application to an application group in Active Directory Federation Services (AD FS). Configuration AdfsWebApiApplication_Config @@ -105,6 +105,12 @@ Configuration AdfsWebApiApplication_Config Node localhost { + AdfsApplicationGroup AppGroup1 + { + Name = 'AppGroup1' + Description = "This is the AppGroup1 Description" + } + AdfsWebApiApplication WebApiApp1 { Name = 'AppGroup1 - Web API' @@ -125,8 +131,8 @@ Configuration AdfsWebApiApplication_Config .EXAMPLE 2 -This configuration will add a Web API application role to an application in Active Directory Federation -Services (AD FS). +This configuration will add a Web API application with an LDAP Claims Issuance Transform rule to an application group +in Active Directory Federation Services (AD FS). Configuration AdfsWebApiApplication_LdapClaims_IssuanceTransformRules_Config { @@ -136,6 +142,12 @@ Configuration AdfsWebApiApplication_LdapClaims_IssuanceTransformRules_Config Node localhost { + AdfsApplicationGroup AppGroup1 + { + Name = 'AppGroup1' + Description = "This is the AppGroup1 Description" + } + AdfsWebApiApplication WebApiApp1 { Name = 'AppGroup1 - Web API' @@ -176,8 +188,8 @@ Configuration AdfsWebApiApplication_LdapClaims_IssuanceTransformRules_Config .EXAMPLE 3 -This configuration will add a Web API application role to an application in Active Directory Federation -Services (AD FS). +This configuration will add a Web API application with an Emit Group Claims Issuance Transform rule to an application +group in Active Directory Federation Services (AD FS). Configuration AdfsWebApiApplication_EmitGroupClaims_IssuanceTransformRules_Config { @@ -187,6 +199,12 @@ Configuration AdfsWebApiApplication_EmitGroupClaims_IssuanceTransformRules_Confi Node localhost { + AdfsApplicationGroup AppGroup1 + { + Name = 'AppGroup1' + Description = "This is the AppGroup1 Description" + } + AdfsWebApiApplication WebApiApp1 { Name = 'AppGroup1 - Web API' @@ -217,8 +235,8 @@ Configuration AdfsWebApiApplication_EmitGroupClaims_IssuanceTransformRules_Confi .EXAMPLE 4 -This configuration will add a Web API application role to an application in Active Directory Federation -Services (AD FS). +This configuration will add a Web API application with a Custom Claims Issuance Transform rule to an application group +in Active Directory Federation Services (AD FS). Configuration AdfsWebApiApplication_CustomClaims_IssuanceTransformRules_Config { @@ -228,6 +246,12 @@ Configuration AdfsWebApiApplication_CustomClaims_IssuanceTransformRules_Config Node localhost { + AdfsApplicationGroup AppGroup1 + { + Name = 'AppGroup1' + Description = "This is the AppGroup1 Description" + } + AdfsWebApiApplication WebApiApp1 { Name = 'AppGroup1 - Web API' @@ -247,11 +271,46 @@ Configuration AdfsWebApiApplication_CustomClaims_IssuanceTransformRules_Config { TemplateName = 'CustomClaims' Name = 'App1 Custom Claim' - CustomRule = 'TBC' + CustomRule = 'c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query = ";givenName;{0}", param = c.Value);' } ) } } } +.EXAMPLE 5 + +This configuration will add a Web API application with an access control policy parameters to an application group in +Active Directory Federation Services (AD FS). +Configuration AdfsWebApiApplication_AccessControlPolicyParameters_Config +{ + param() + + Import-DscResource -ModuleName AdfsDsc + + Node localhost + { + AdfsApplicationGroup AppGroup1 + { + Name = 'AppGroup1' + Description = "This is the AppGroup1 Description" + } + + AdfsWebApiApplication WebApiApp1 + { + Name = 'AppGroup1 - Web API' + ApplicationGroupIdentifier = 'AppGroup1' + Identifier = 'e7bfb303-c5f6-4028-a360-b6293d41338c' + Description = 'App1 Web Api' + AccessControlPolicyName = 'Permit specific group' + AccessControlPolicyParameters = MSFT_AdfsAccessControlPolicyParameters + { + GroupParameter = @( + 'CONTOSO\AppGroup1 Users' + 'CONTOSO\AppGroup1 Admins' + ) + } + } + } +} diff --git a/source/Examples/Resources/AdfsApplicationPermission/1-AdfsApplicationPermission_Config.ps1 b/source/Examples/Resources/AdfsApplicationPermission/1-AdfsApplicationPermission_Config.ps1 index 459f8d4..6858fc7 100644 --- a/source/Examples/Resources/AdfsApplicationPermission/1-AdfsApplicationPermission_Config.ps1 +++ b/source/Examples/Resources/AdfsApplicationPermission/1-AdfsApplicationPermission_Config.ps1 @@ -19,7 +19,7 @@ <# .DESCRIPTION - This configuration will grant application permission in Active Directory Federation Services (AD FS). + This configuration will grant an application permission in Active Directory Federation Services (AD FS). #> Configuration AdfsApplicationPermission_Config @@ -30,8 +30,8 @@ Configuration AdfsApplicationPermission_Config { AdfsApplicationPermission AppPermission1 { - ClientRoleIdentifier = 'e7bfb303-c5f6-4028-a360-b6293d41338c' - ServerRoleIdentifier = 'e7bfb303-c5f6-4028-a360-b6293d41338c' + ClientRoleIdentifier = '168f3ee4-63fc-4723-a61a-6473f6cb515c' + ServerRoleIdentifier = 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' Description = "This is the AppPermission1 Description" ScopeNames = 'openid' } diff --git a/source/Examples/Resources/AdfsGlobalAuthenticationPolicy/1-AdfsGlobalAuthenticationPolicy_Config.ps1 b/source/Examples/Resources/AdfsGlobalAuthenticationPolicy/1-AdfsGlobalAuthenticationPolicy_Config.ps1 index 2ed9586..b4f9ff5 100644 --- a/source/Examples/Resources/AdfsGlobalAuthenticationPolicy/1-AdfsGlobalAuthenticationPolicy_Config.ps1 +++ b/source/Examples/Resources/AdfsGlobalAuthenticationPolicy/1-AdfsGlobalAuthenticationPolicy_Config.ps1 @@ -19,7 +19,7 @@ <# .DESCRIPTION - This configuration will ... + This configuration will set the global authentication policy for the ADFS service. #> Configuration AdfsGlobalAuthenticationPolicy_Config diff --git a/source/Examples/Resources/AdfsGlobalWebContent/1-AdfsGlobalWebContent_CompanyName_Config.ps1 b/source/Examples/Resources/AdfsGlobalWebContent/1-AdfsGlobalWebContent_CompanyName_Config.ps1 index 597830f..d6228ae 100644 --- a/source/Examples/Resources/AdfsGlobalWebContent/1-AdfsGlobalWebContent_CompanyName_Config.ps1 +++ b/source/Examples/Resources/AdfsGlobalWebContent/1-AdfsGlobalWebContent_CompanyName_Config.ps1 @@ -19,7 +19,7 @@ <# .DESCRIPTION - This configuration will the company name of the global web content for the invariant locale. If there is no + This configuration will set the company name of the global web content for the invariant locale. If there is no logo, the sign-in page displays the company name Contoso. #> diff --git a/source/Examples/Resources/AdfsProperties/1-AdfsProperties_Config.ps1 b/source/Examples/Resources/AdfsProperties/1-AdfsProperties_Config.ps1 index 99ab3ee..1113f8e 100644 --- a/source/Examples/Resources/AdfsProperties/1-AdfsProperties_Config.ps1 +++ b/source/Examples/Resources/AdfsProperties/1-AdfsProperties_Config.ps1 @@ -19,7 +19,7 @@ <# .DESCRIPTION - This configuration will ... + This configuration will set the Extranet Lockout properties on the ADFS service. #> Configuration AdfsProperties_Config diff --git a/source/Examples/Resources/AdfsWebApiApplication/1-AdfsWebApiApplication_Config.ps1 b/source/Examples/Resources/AdfsWebApiApplication/1-AdfsWebApiApplication_Config.ps1 index c732bf0..598c9fe 100644 --- a/source/Examples/Resources/AdfsWebApiApplication/1-AdfsWebApiApplication_Config.ps1 +++ b/source/Examples/Resources/AdfsWebApiApplication/1-AdfsWebApiApplication_Config.ps1 @@ -19,7 +19,7 @@ <# .DESCRIPTION - This configuration will add a Web API application role to an application in Active Directory Federation + This configuration will add a Web API application to an application group in Active Directory Federation Services (AD FS). #> @@ -31,6 +31,12 @@ Configuration AdfsWebApiApplication_Config Node localhost { + AdfsApplicationGroup AppGroup1 + { + Name = 'AppGroup1' + Description = "This is the AppGroup1 Description" + } + AdfsWebApiApplication WebApiApp1 { Name = 'AppGroup1 - Web API' diff --git a/source/Examples/Resources/AdfsWebApiApplication/2-AdfsWebApiApplication_LdapClaims_IssuanceTransformRules_Config.ps1 b/source/Examples/Resources/AdfsWebApiApplication/2-AdfsWebApiApplication_LdapClaims_IssuanceTransformRules_Config.ps1 index 41996db..d713425 100644 --- a/source/Examples/Resources/AdfsWebApiApplication/2-AdfsWebApiApplication_LdapClaims_IssuanceTransformRules_Config.ps1 +++ b/source/Examples/Resources/AdfsWebApiApplication/2-AdfsWebApiApplication_LdapClaims_IssuanceTransformRules_Config.ps1 @@ -19,8 +19,8 @@ <# .DESCRIPTION - This configuration will add a Web API application role to an application in Active Directory Federation - Services (AD FS). + This configuration will add a Web API application with an LDAP Claims Issuance Transform rule to an application + group in Active Directory Federation Services (AD FS). #> Configuration AdfsWebApiApplication_LdapClaims_IssuanceTransformRules_Config @@ -31,6 +31,12 @@ Configuration AdfsWebApiApplication_LdapClaims_IssuanceTransformRules_Config Node localhost { + AdfsApplicationGroup AppGroup1 + { + Name = 'AppGroup1' + Description = "This is the AppGroup1 Description" + } + AdfsWebApiApplication WebApiApp1 { Name = 'AppGroup1 - Web API' diff --git a/source/Examples/Resources/AdfsWebApiApplication/3-AdfsWebApiApplication_EmitGroupClaims_IssuanceTransformRules_Config.ps1 b/source/Examples/Resources/AdfsWebApiApplication/3-AdfsWebApiApplication_EmitGroupClaims_IssuanceTransformRules_Config.ps1 index a2160da..ec443cf 100644 --- a/source/Examples/Resources/AdfsWebApiApplication/3-AdfsWebApiApplication_EmitGroupClaims_IssuanceTransformRules_Config.ps1 +++ b/source/Examples/Resources/AdfsWebApiApplication/3-AdfsWebApiApplication_EmitGroupClaims_IssuanceTransformRules_Config.ps1 @@ -19,8 +19,8 @@ <# .DESCRIPTION - This configuration will add a Web API application role to an application in Active Directory Federation - Services (AD FS). + This configuration will add a Web API application with an Emit Group Claims Issuance Transform rule to an + application group in Active Directory Federation Services (AD FS). #> Configuration AdfsWebApiApplication_EmitGroupClaims_IssuanceTransformRules_Config @@ -31,6 +31,12 @@ Configuration AdfsWebApiApplication_EmitGroupClaims_IssuanceTransformRules_Confi Node localhost { + AdfsApplicationGroup AppGroup1 + { + Name = 'AppGroup1' + Description = "This is the AppGroup1 Description" + } + AdfsWebApiApplication WebApiApp1 { Name = 'AppGroup1 - Web API' diff --git a/source/Examples/Resources/AdfsWebApiApplication/4-AdfsWebApiApplication_CustomClaims_IssuanceTransformRules_Config.ps1 b/source/Examples/Resources/AdfsWebApiApplication/4-AdfsWebApiApplication_CustomClaims_IssuanceTransformRules_Config.ps1 index 09be6e9..1fcdc17 100644 --- a/source/Examples/Resources/AdfsWebApiApplication/4-AdfsWebApiApplication_CustomClaims_IssuanceTransformRules_Config.ps1 +++ b/source/Examples/Resources/AdfsWebApiApplication/4-AdfsWebApiApplication_CustomClaims_IssuanceTransformRules_Config.ps1 @@ -19,8 +19,8 @@ <# .DESCRIPTION - This configuration will add a Web API application role to an application in Active Directory Federation - Services (AD FS). + This configuration will add a Web API application with a Custom Claims Issuance Transform rule to an + application group in Active Directory Federation Services (AD FS). #> Configuration AdfsWebApiApplication_CustomClaims_IssuanceTransformRules_Config @@ -31,6 +31,12 @@ Configuration AdfsWebApiApplication_CustomClaims_IssuanceTransformRules_Config Node localhost { + AdfsApplicationGroup AppGroup1 + { + Name = 'AppGroup1' + Description = "This is the AppGroup1 Description" + } + AdfsWebApiApplication WebApiApp1 { Name = 'AppGroup1 - Web API' @@ -50,7 +56,7 @@ Configuration AdfsWebApiApplication_CustomClaims_IssuanceTransformRules_Config { TemplateName = 'CustomClaims' Name = 'App1 Custom Claim' - CustomRule = 'TBC' + CustomRule = 'c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query = ";givenName;{0}", param = c.Value);' } ) } diff --git a/source/Examples/Resources/AdfsWebApiApplication/5-AdfsWebApiApplication_AccessControlPolicyParameters_Config.ps1 b/source/Examples/Resources/AdfsWebApiApplication/5-AdfsWebApiApplication_AccessControlPolicyParameters_Config.ps1 index 0a0dc67..3c47478 100644 --- a/source/Examples/Resources/AdfsWebApiApplication/5-AdfsWebApiApplication_AccessControlPolicyParameters_Config.ps1 +++ b/source/Examples/Resources/AdfsWebApiApplication/5-AdfsWebApiApplication_AccessControlPolicyParameters_Config.ps1 @@ -19,8 +19,8 @@ <# .DESCRIPTION - This configuration will add a Web API application role with access control policy parameters to an application - in Active Directory Federation Services (AD FS). + This configuration will add a Web API application with an access control policy parameters to an application + group in Active Directory Federation Services (AD FS). #> Configuration AdfsWebApiApplication_AccessControlPolicyParameters_Config @@ -31,6 +31,12 @@ Configuration AdfsWebApiApplication_AccessControlPolicyParameters_Config Node localhost { + AdfsApplicationGroup AppGroup1 + { + Name = 'AppGroup1' + Description = "This is the AppGroup1 Description" + } + AdfsWebApiApplication WebApiApp1 { Name = 'AppGroup1 - Web API'