Over the last few years Microsoft has made a push for all of it’s Server Solutions
to have the capability of being managed via PowerShell. Active Directory Federation
Services is no different.
When we installed ADFS for the first
time, the installer told us it needed PowerShell as a pre-requisite, so we get
some cmdlets available to us out of the box. Before we start playing around
with them though we need to register the cmdlets to our PowerShell session. We can
do with this command:
Add-PSSnapin Microsoft.Adfs.PowerShell
At this point we can now muck around with all of the available cmdlets. For
a full list of available
cmdlets for ADFS check out TechNet.
Let’s take a look at our ADFS Server Properties:
Get-AdfsProperties
AcceptableIdentifiers : {}
AddProxyAuthorizationRules : […snip…]
AutoCertificateRollover : True
CertificateCriticalThreshold : 2
CertificateDuration
: 365
CertificateGenerationThreshold : 20
CertificatePromotionThreshold : 5
CertificateRolloverInterval : 720
CertificateSharingContainer :
CertificateThresholdMultiplier : 1440
ClientCertRevocationCheck : None
ContactPerson
:
DisplayName
: WEB1.nexus.external.test
ExtendedProtectionTokenCheck : Allow
FederationPassiveAddress : /adfs/ls/
HostName
: WEB1.nexus.external.test
HttpPort
: 80
HttpsPort
: 443
Identifier
: http://web1.nexus.external.test/adfs/services/trust
InstalledLanguage
: en-US
LogLevel
: {Errors, Information, Verbose, Warnings}
MonitoringInterval
: 1440
NetTcpPort
: 1501
NtlmOnlySupportedClientAtProxy : False
OrganizationInfo
:
PreventTokenReplays
: True
ProxyTrustId
: 58cb3f40-0633-4d9e-b3c2-84f9bc8c2ce8
ProxyTrustTokenLifetime : 21600
ReplayCacheExpirationInterval : 60
SignedSamlRequestsRequired : False
SamlMessageDeliveryWindow : 5
SignSamlAuthnRequests : False
SsoLifetime
: 480
Nothing fancy there. What about updating?
get-help Set-AdfsProperties
Yep, we can do that:
NAME
Set-ADFSProperties
SYNOPSIS
Sets the properties of the Federation Service.
SYNTAX
[…snip…]
DETAILED DESCRIPTION
The Set-ADFSProperties cmdlet sets the global properties and configuration
of the Federation Service.
Updating settings isn’t all that exciting, so what about managing Relying Parties?
Add-ADFSRelyingPartyTrust
Get-ADFSRelyingPartyTrust
Remove-ADFSRelyingPartyTrust
Enable-ADFSRelyingPartyTrust
Disable-ADFSRelyingPartyTrust
Update-ADFSRelyingPartyTrust
You can also manage things like Certificates:
Add-ADFSCertificate
Remove-ADFSCertificate
Update-ADFSCertificate
There are many more things you can do from within PowerShell. Again, for the
full list check
out TechNet.
Being able to manage ADFS directly from PowerShell makes things a lot easier.
Not only for those who aren’t too keen on using MMC snap-ins, but also for the developers
to automate deployment for testing and development.