search

X-Guardian / AdfsDsc

DSC resources for deployment and configuration of Active Directory Federation Services
MIT License
9 stars 5 forks source link

Declaring IssuanceTransformRules with ConfigurationData #62

Closed ccpyle closed 1 year ago

ccpyle commented 1 year ago

Is it possible to send IssuanceTransformRules using ConfigurationData? I'm trying to set up node data for use with AdfsWebApiApplication, but I cannot get it to compile properly.

If I try to declare the data type outside of the DSC module, I get "Unable to find type [MSFT_AdfsIssuanceTransformRule]"

If I use example syntax within AllNodes and then pass to configuration, I receive: "Convert property 'IssuanceTransformRules' value from type 'STRING[]' to type 'INSTANCE[]' failed

X-Guardian commented 1 year ago

Hi @ccpyle, you can't directly specify an MSFT_AdfsIssuanceTransformRule object in ConfigurationData, but you can dynamically build them within the DSC configuration based on data within ConfigurationData. Here is an example:

#Requires -module AdfsDsc

<#
    .DESCRIPTION
        This configuration will add a Web API application role to an application in Active Directory Federation
        Services (AD FS).
#>

$ConfigurationData = @{
    AllNodes       = @(
        @{
            Nodename = "localhost"
        }
    )

    TransformRules = @(
        @{
            TemplateName = 'LdapClaims'
            Name         = 'App1 Ldap Claims'
            LdapClaims   = @(
                @{
                    LdapAttribute     = 'mail'
                    OutgoingClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
                }
                @{
                    LdapAttribute     = 'sn'
                    OutgoingClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'
                }
            )
        }
    )
}

Configuration AdfsWebApiApplication_LdapClaims_IssuanceTransformRules_Config
{
    param()

    Import-DscResource -ModuleName AdfsDsc

    Node localhost
    {
        AdfsApplicationGroup AppGroup1 {
            Name        = 'AppGroup1'
            Description = "This is the AppGroup1 Description"
        }

        $issuanceTransformRules = @()
        foreach ($transformRule in $ConfigurationData.TransformRules) {
            $ldapMapping = @()
            foreach ($ldapClaim in $transformRule.LdapClaims) {
                $ldapMapping += MSFT_AdfsLdapMapping {
                    LdapAttribute     = $ldapClaim.LdapAttribute
                    OutgoingClaimType = $ldapClaim.OutgoingClaimType
                }
            }

            $issuanceTransformRules += MSFT_AdfsIssuanceTransformRule {
                TemplateName   = $transformRule.TemplateName
                Name           = $transformRule.Name
                AttributeStore = 'Active Directory'
                LdapMapping    = $ldapMapping
            }
        }

        AdfsWebApiApplication WebApiApp1 {
            Name                          = 'AppGroup1 - Web API'
            ApplicationGroupIdentifier    = 'AppGroup1'
            Identifier                    = 'e7bfb303-c5f6-4028-a360-b6293d41338c'
            Description                   = 'App1 Web Api'
            AccessControlPolicyName       = 'Permit everyone'
            AlwaysRequireAuthentication   = $false
            AllowedClientTypes            = 'Public', 'Confidential'
            IssueOAuthRefreshTokensTo     = 'AllDevices'
            NotBeforeSkew                 = 0
            RefreshTokenProtectionEnabled = $true
            RequestMFAFromClaimsProviders = $false
            TokenLifetime                 = 0
            IssuanceTransformRules        = $issuanceTransformRules
        }
    }
}

Hope this helps.