Le compte à rebours est lancé pour Keyfactor Tech Days | Réservez votre place dès aujourd'hui !

  • Accueil
  • Blog
  • Comment faire migrer les fiducies de confiance ?

Comment faire migrer les fiducies de confiance ?

Il peut arriver que vous ayez besoin de migrer une partie utilisatrice d'une implémentation AD FS à une autre. Malheureusement, à l'heure actuelle, il ne semble pas y avoir d'outils existants pour le faire. C'est pourquoi nous proposons l'approche suivante, qui est assez rapide et peu pratique. Il existe peut-être de meilleures méthodes, mais celle-ci permet de faire le travail.

Tout d'abord, exportez tous les trusts de parties utilisatrices qui doivent être migrés vers des fichiers XML à l'aide du script PowerShell export-rps.ps1 ci-dessous. Le résultat du script sera un fichier dont le nom sera basé sur l'identifiant de la partie utilisatrice. Par exemple :

  • urn-federation-identifier.example.com
  • https-identifier.exemple.com

Dans le script PowerShell suivant, modifiez la valeur $filePathBase en fonction de votre environnement.

export-rps.ps1

# Load the ADFS PowerShell snap-in
Add-PSSnapin Microsoft.Adfs.PowerShell

# The directory where the relying parties should be extracted
$filePathBase = "C:\extract-rp\"

$AdfsRelyingPartyTrusts = Get-AdfsRelyingPartyTrust
foreach ($AdfsRelyingPartyTrust in $AdfsRelyingPartyTrusts)
{
  # The identifier is actually an array of identifiers, we will just use the first one
  $rpIdentifier = $AdfsRelyingPartyTrust.Identifier[0]

  # We want a filename for this so we will try to make the identifier safe
  # Replace all of the following characters with a -
  #  : " / \ | ? *
  $fileNameSafeIdentifier = $rpIdentifier `
    -replace '', '-' `
    -replace ':', '-' `
    -replace '"', '-' `
    -replace '/', '-' `
    -replace '\\', '-' `
    -replace '\|', '-' `
    -replace '\?', '-' `
    -replace '\*', '-' 	

  # Create the filename of the XML file we will export
  $filePath = $filePathBase + $fileNameSafeIdentifier + '.xml'

  # Use Export-Clixml to export the object to an XML file
  $AdfsRelyingPartyTrust | Export-Clixml $filePath

}

Après avoir généré les fichiers d'exportation, copiez les fichiers XML sur le nouveau serveur AD FS et importez-les un par un en tant que parties utilisatrices à l'aide du script PowerShell import-an-rp.ps1 ci-dessous.

Dans le script PowerShell suivant, modifiez la valeur $rpIdentifier pour spécifier la partie utilisatrice que vous souhaitez importer et la valeur $filePathBase en fonction de votre environnement.

import-an-rp.ps1

# Load the ADFS PowerShell snap-in
Add-PSSnapin Microsoft.Adfs.PowerShell

# location where the extracted XML files can be found
$filePathBase = "C:\extract-rp\"

# Identifier of the Relying Party (RP) we want to import
#$rpIdentifier = "urn:federation:identifier.example.com"
$rpIdentifier = "https://identifier.example.com"

# We want the name we created during extract for this so we will try to make the identifier safe
# Replace all of the following characters with a -
#  : " / \ | ? *
$directoryNameSafeIdentifier = $rpIdentifier `
  -replace '', '-' `
  -replace ':', '-' `
  -replace '"', '-' `
  -replace '/', '-' `
  -replace '\\', '-' `
  -replace '\|', '-' `
  -replace '\?', '-' `
  -replace '\*', '-' 	

$xmlFile =  $filePathBase + $directoryNameSafeIdentifier + ".xml"

if (!(Test-Path -path $xmlFile))
{
  "File not found" + $xmlFile
}
else
{
  $ADFSRelyingPartyTrust = Import-clixml $xmlFile
  $NewADFSRelyingPartyTrust = Add-ADFSRelyingPartyTrust -Identifier $rpIdentifier `
    -Name $ADFSRelyingPartyTrust.Name
  $rpIdentifierUri = $NewADFSRelyingPartyTrust.Identifier

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -AutoUpdateEnabled $ADFSRelyingPartyTrust.AutoUpdateEnabled

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -DelegationAuthorizationRules $ADFSRelyingPartyTrust.DelegationAuthorizationRules

  # note we need to do a ToString to not just get the enum number
  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -EncryptionCertificateRevocationCheck `
    $ADFSRelyingPartyTrust.EncryptionCertificateRevocationCheck.ToString()

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
-IssuanceAuthorizationRules $ADFSRelyingPartyTrust.IssuanceAuthorizationRules

  # note we need to do a ToString to not just get the enum number
  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -SigningCertificateRevocationCheck `
    $ADFSRelyingPartyTrust.SigningCertificateRevocationCheck.ToString()

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -WSFedEndpoint $ADFSRelyingPartyTrust.WSFedEndpoint

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -IssuanceTransformRules $ADFSRelyingPartyTrust.IssuanceTransformRules

  # Note ClaimAccepted vs ClaimsAccepted (plural)
  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -ClaimAccepted $ADFSRelyingPartyTrust.ClaimsAccepted

  ### NOTE this does not get imported
  #$ADFSRelyingPartyTrust.ConflictWithPublishedPolicy

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -EncryptClaims $ADFSRelyingPartyTrust.EncryptClaims

  ### NOTE this does not get imported
  #$ADFSRelyingPartyTrust.Enabled

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -EncryptionCertificate $ADFSRelyingPartyTrust.EncryptionCertificate

  # Identifier is actually an array but you can't add it when
  #   using Set-ADFSRelyingPartyTrust -TargetIdentifier
  #   so we use -TargetRelyingParty instead
  $targetADFSRelyingPartyTrust = Get-ADFSRelyingPartyTrust -Identifier $rpIdentifier
  Set-ADFSRelyingPartyTrust -TargetRelyingParty $targetADFSRelyingPartyTrust `
    -Identifier $ADFSRelyingPartyTrust.Identifier

  # SKIP we don't need to import these
  # $ADFSRelyingPartyTrust.LastMonitoredTime
  # $ADFSRelyingPartyTrust.LastPublishedPolicyCheckSuccessful
  # $ADFSRelyingPartyTrust.LastUpdateTime

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -MetadataUrl $ADFSRelyingPartyTrust.MetadataUrl

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -MonitoringEnabled $ADFSRelyingPartyTrust.MonitoringEnabled

  # Name is already done
  #Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
  #  -Name $ADFSRelyingPartyTrust.Name

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -NotBeforeSkew $ADFSRelyingPartyTrust.NotBeforeSkew

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -Notes "$ADFSRelyingPartyTrust.Notes"

  ### NOTE this does not get imported
  #$ADFSRelyingPartyTrust.OrganizationInfo

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -ImpersonationAuthorizationRules $ADFSRelyingPartyTrust.ImpersonationAuthorizationRules

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -ProtocolProfile $ADFSRelyingPartyTrust.ProtocolProfile

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -RequestSigningCertificate $ADFSRelyingPartyTrust.RequestSigningCertificate

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -EncryptedNameIdRequired $ADFSRelyingPartyTrust.EncryptedNameIdRequired

  # Note RequireSignedSamlRequests vs SignedSamlRequestsRequired,
  #Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
  #  -RequireSignedSamlRequests $ADFSRelyingPartyTrust.SignedSamlRequestsRequired
  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -SignedSamlRequestsRequired $ADFSRelyingPartyTrust.SignedSamlRequestsRequired  

  # Note SamlEndpoint vs SamlEndpoints (plural)
  # The object comes back as a
  #   [Deserialized.Microsoft.IdentityServer.PowerShell.Resources.SamlEndpoint]
  #   so we will reconstitute 

  # create a new empty array
  $newSamlEndPoints = @()
  foreach ($SamlEndpoint in $ADFSRelyingPartyTrust.SamlEndpoints)
  {
    # Is ResponseLocation defined?
    if ($SamlEndpoint.ResponseLocation)
    {
      # ResponseLocation is not null or empty
      $newSamlEndPoint = New-ADFSSamlEndpoint -Binding $SamlEndpoint.Binding `
        -Protocol $SamlEndpoint.Protocol `
        -Uri $SamlEndpoint.Location -Index $SamlEndpoint.Index `
        -IsDefault $SamlEndpoint.IsDefault
    }
    else
    {
      $newSamlEndPoint = New-ADFSSamlEndpoint -Binding $SamlEndpoint.Binding `
        -Protocol $SamlEndpoint.Protocol `
        -Uri $SamlEndpoint.Location -Index $SamlEndpoint.Index `
        -IsDefault $SamlEndpoint.IsDefault `
        -ResponseUri $SamlEndpoint.ResponseLocation
    }
    $newSamlEndPoints += $newSamlEndPoint
  }
  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -SamlEndpoint $newSamlEndPoints

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -SamlResponseSignature $ADFSRelyingPartyTrust.SamlResponseSignature

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -SignatureAlgorithm $ADFSRelyingPartyTrust.SignatureAlgorithm

  Set-ADFSRelyingPartyTrust -TargetIdentifier $rpIdentifier `
    -TokenLifetime $ADFSRelyingPartyTrust.TokenLifetime

}

# For comparison testing you can uncomment these lines
#   to export your new import as a ___.XML.new file
# $targetADFSRelyingPartyTrust = Get-ADFSRelyingPartyTrust -Identifier $rpIdentifier
# $filePath = $xmlFile + ".new"
# $AdfsRelyingPartyTrust | Export-Clixml $filePath

Nous remercions Doug McDorman de nous avoir permis de publier son texte à des fins d'utilisation générale.