Comienza la cuenta atrás para Keyfactor Tech Days | ¡Asegura tu plaza hoy mismo!

  • Inicio
  • Blog
  • Cómo migrar fideicomisos de confianza

Cómo migrar fideicomisos de confianza

Hay ocasiones en las que puede verse en la necesidad de migrar una parte usuaria (RP) de una implementación de AD FS a otra. Lamentablemente, por el momento no parece que existan herramientas para hacerlo. Por lo tanto, ofrecemos el siguiente enfoque rápido y sucio. Puede haber mejores maneras, pero esto hace el trabajo.

En primer lugar, exporte todos los fideicomisos de partes confiantes que deban migrarse a archivos XML mediante la secuencia de comandos PowerShell export-rps.ps1 que se indica a continuación. El resultado de la secuencia de comandos será un archivo con un nombre basado en el identificador de la parte usuaria. Por ejemplo

  • urn-federation-identifier.example.com
  • https-identificador.ejemplo.com

En la siguiente secuencia de comandos PowerShell, edite el valor $filePathBase según corresponda a su entorno.

export-rps.ps1

# Load the ADFS PowerShell snap-in
Add-PSSnapin Microsoft.Adfs.PowerShell

# The directory where the relying parties should be extracted
$filePathBase = "C:\extract-rp\"

$AdfsRelyingPartyTrusts = Get-AdfsRelyingPartyTrust
foreach ($AdfsRelyingPartyTrust in $AdfsRelyingPartyTrusts)
{
  # The identifier is actually an array of identifiers, we will just use the first one
  $rpIdentifier = $AdfsRelyingPartyTrust.Identifier[0]

  # We want a filename for this so we will try to make the identifier safe
  # Replace all of the following characters with a -
  #  : " / \ | ? *
  $fileNameSafeIdentifier = $rpIdentifier `
    -replace '', '-' `
    -replace ':', '-' `
    -replace '"', '-' `
    -replace '/', '-' `
    -replace '\\', '-' `
    -replace '\|', '-' `
    -replace '\?', '-' `
    -replace '\*', '-' 	

  # Create the filename of the XML file we will export
  $filePath = $filePathBase + $fileNameSafeIdentifier + '.xml'

  # Use Export-Clixml to export the object to an XML file
  $AdfsRelyingPartyTrust | Export-Clixml $filePath

}

Después de generar los archivos de exportación, copie los archivos XML en el nuevo servidor AD FS e impórtelos de uno en uno como confianzas de partes confiantes utilizando el script PowerShell import-an-rp.ps1 que se indica a continuación.

En la siguiente secuencia de comandos PowerShell, edite el valor $rpIdentifier para especificar qué parte usuaria desea importar y el valor $filePathBase según corresponda a su entorno.

importar-un-rp.ps1

# Load the ADFS PowerShell snap-in
Add-PSSnapin Microsoft.Adfs.PowerShell

# location where the extracted XML files can be found
$filePathBase = "C:\extract-rp\"

# Identifier of the Relying Party (RP) we want to import
#$rpIdentifier = "urn:federation:identifier.example.com"
$rpIdentifier = "https://identifier.example.com"

# We want the name we created during extract for this so we will try to make the identifier safe
# Replace all of the following characters with a -
#  : " / \ | ? *
$directoryNameSafeIdentifier = $rpIdentifier `
  -replace '', '-' `
  -replace ':', '-' `
  -replace '"', '-' `
  -replace '/', '-' `
  -replace '\\', '-' `
  -replace '\|', '-' `
  -replace '\?', '-' `
  -replace '\*', '-' 	

$xmlFile =  $filePathBase + $directoryNameSafeIdentifier + ".xml"

if (!(Test-Path -path $xmlFile))
{
  "File not found" + $xmlFile
}
else
{
  $ADFSRelyingPartyTrust = Import-clixml $xmlFile
  $NewADFSRelyingPartyTrust = Add-ADFSRelyingPartyTrust -Identifier $rpIdentifier `
    -Name $ADFSRelyingPartyTrust.Name
  $rpIdentifierUri = $NewADFSRelyingPartyTrust.Identifier

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -AutoUpdateEnabled $ADFSRelyingPartyTrust.AutoUpdateEnabled

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -DelegationAuthorizationRules $ADFSRelyingPartyTrust.DelegationAuthorizationRules

  # note we need to do a ToString to not just get the enum number
  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -EncryptionCertificateRevocationCheck `
    $ADFSRelyingPartyTrust.EncryptionCertificateRevocationCheck.ToString()

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
-IssuanceAuthorizationRules $ADFSRelyingPartyTrust.IssuanceAuthorizationRules

  # note we need to do a ToString to not just get the enum number
  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -SigningCertificateRevocationCheck `
    $ADFSRelyingPartyTrust.SigningCertificateRevocationCheck.ToString()

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -WSFedEndpoint $ADFSRelyingPartyTrust.WSFedEndpoint

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -IssuanceTransformRules $ADFSRelyingPartyTrust.IssuanceTransformRules

  # Note ClaimAccepted vs ClaimsAccepted (plural)
  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -ClaimAccepted $ADFSRelyingPartyTrust.ClaimsAccepted

  ### NOTE this does not get imported
  #$ADFSRelyingPartyTrust.ConflictWithPublishedPolicy

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -EncryptClaims $ADFSRelyingPartyTrust.EncryptClaims

  ### NOTE this does not get imported
  #$ADFSRelyingPartyTrust.Enabled

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -EncryptionCertificate $ADFSRelyingPartyTrust.EncryptionCertificate

  # Identifier is actually an array but you can't add it when
  #   using Set-ADFSRelyingPartyTrust -TargetIdentifier
  #   so we use -TargetRelyingParty instead
  $targetADFSRelyingPartyTrust = Get-ADFSRelyingPartyTrust -Identifier $rpIdentifier
  Set-ADFSRelyingPartyTrust -TargetRelyingParty $targetADFSRelyingPartyTrust `
    -Identifier $ADFSRelyingPartyTrust.Identifier

  # SKIP we don't need to import these
  # $ADFSRelyingPartyTrust.LastMonitoredTime
  # $ADFSRelyingPartyTrust.LastPublishedPolicyCheckSuccessful
  # $ADFSRelyingPartyTrust.LastUpdateTime

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -MetadataUrl $ADFSRelyingPartyTrust.MetadataUrl

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -MonitoringEnabled $ADFSRelyingPartyTrust.MonitoringEnabled

  # Name is already done
  #Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
  #  -Name $ADFSRelyingPartyTrust.Name

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -NotBeforeSkew $ADFSRelyingPartyTrust.NotBeforeSkew

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -Notes "$ADFSRelyingPartyTrust.Notes"

  ### NOTE this does not get imported
  #$ADFSRelyingPartyTrust.OrganizationInfo

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -ImpersonationAuthorizationRules $ADFSRelyingPartyTrust.ImpersonationAuthorizationRules

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -ProtocolProfile $ADFSRelyingPartyTrust.ProtocolProfile

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -RequestSigningCertificate $ADFSRelyingPartyTrust.RequestSigningCertificate

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -EncryptedNameIdRequired $ADFSRelyingPartyTrust.EncryptedNameIdRequired

  # Note RequireSignedSamlRequests vs SignedSamlRequestsRequired,
  #Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
  #  -RequireSignedSamlRequests $ADFSRelyingPartyTrust.SignedSamlRequestsRequired
  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -SignedSamlRequestsRequired $ADFSRelyingPartyTrust.SignedSamlRequestsRequired  

  # Note SamlEndpoint vs SamlEndpoints (plural)
  # The object comes back as a
  #   [Deserialized.Microsoft.IdentityServer.PowerShell.Resources.SamlEndpoint]
  #   so we will reconstitute 

  # create a new empty array
  $newSamlEndPoints = @()
  foreach ($SamlEndpoint in $ADFSRelyingPartyTrust.SamlEndpoints)
  {
    # Is ResponseLocation defined?
    if ($SamlEndpoint.ResponseLocation)
    {
      # ResponseLocation is not null or empty
      $newSamlEndPoint = New-ADFSSamlEndpoint -Binding $SamlEndpoint.Binding `
        -Protocol $SamlEndpoint.Protocol `
        -Uri $SamlEndpoint.Location -Index $SamlEndpoint.Index `
        -IsDefault $SamlEndpoint.IsDefault
    }
    else
    {
      $newSamlEndPoint = New-ADFSSamlEndpoint -Binding $SamlEndpoint.Binding `
        -Protocol $SamlEndpoint.Protocol `
        -Uri $SamlEndpoint.Location -Index $SamlEndpoint.Index `
        -IsDefault $SamlEndpoint.IsDefault `
        -ResponseUri $SamlEndpoint.ResponseLocation
    }
    $newSamlEndPoints += $newSamlEndPoint
  }
  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -SamlEndpoint $newSamlEndPoints

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -SamlResponseSignature $ADFSRelyingPartyTrust.SamlResponseSignature

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -SignatureAlgorithm $ADFSRelyingPartyTrust.SignatureAlgorithm

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -TokenLifetime $ADFSRelyingPartyTrust.TokenLifetime

}

# For comparison testing you can uncomment these lines
#   to export your new import as a ___.XML.new file
# $targetADFSRelyingPartyTrust = Get-ADFSRelyingPartyTrust -Identifier $rpIdentifier
# $filePath = $xmlFile + ".new"
# $AdfsRelyingPartyTrust | Export-Clixml $filePath

Muchas gracias a Doug McDorman por permitirnos publicar su guión para uso general.