AD FS 2.0: How to Migrate Claim Rules Between Trusts

  • Article

Overview

This article demonstrates how to migrate claim rules from one trust in AD FS 2.0 to another trust in AD FS 2.0. This may be useful when you are creating multiple trust relationships which will utilize similar claim rules, or when you are migrating configuration data between test, staging, and production environments.

Steps

Migrating Claims Provider trust claim rules

Claims Provider trusts contain one type of claim rule:
Acceptance Transform Rules - used to control how claims are accepted from a trusted Claims Provider

Export existing claim rules from a Claims Provider trust to file

  1. Using the AD FS 2.0 MMC console, identify the Claims Provider trust name from which the claim rules will be exported
  2. Launch an administrative Powershell window
  3. Execute the following command to import the AD FS 2.0 Powershell snap-in:

        *Add-PsSnapin Microsoft.Adfs.Powershell
**
***4. Execute the following command to export the Acceptance Transform Rules to file:

       *** (Get-AdfsClaimsProviderTrust -Name "name-from-step-1").AcceptanceTransformRules | Out-File "C:\CP-name-from-step-1-Acceptance-Rules.txt"***

        *Note: Replace "name-from-step-1" and "C:\CP-name-from-step-1-Acceptance-Rules.txt" to reflect the name of the Claims Provider trust you have chosen.

Import claim rules from file to a Claims Provider trust

  1. Using the AD FS 2.0 MMC console, identify the Claims Provider trust name to which the claim rules will be imported
  2. Launch and administrative Powershell window
  3. Execute the following command to import the AD FS 2.0 Powershell snap-in:

         ***Add-PsSnapin Microsoft.Adfs.Powershell

***4. Execute the following command to import the Acceptance Transform Rules from file to the Claims Provider trust:

        ***Set-AdfsClaimsProviderTrust -TargetName "name-from-step-1" -AcceptanceTransformRulesFile "C:\CP-name-from-step-1-Acceptance-Rules.txt"

        *Note: Replace "name-from-step-1" and "C:\CP-name-from-step-1-Acceptance-Rules.txt" to reflect the name of the Claims Provider trust you have chosen.

Migrating Relying Party trust claim rules

Relying Party trusts contain three types of claim rules:
Issuance Transform Rules - used to control how claims are issued to a trusting Relying Party
Issuance Authorization Rules - used to control access to a trusting Relying Party
Delegation Authorization Rules - used to control authorization for identity delegation to a trusting Relying Party

Export existing claim rules from a Relying Party trust to file

  1. Using the AD FS 2.0 MMC console, identify the Relying Party trust name from which the claim rules will be exported
  2. Launch an administrative Powershell window
  3. Execute the following command to import the AD FS 2.0 Powershell snap-in:

         ***Add-PsSnapin Microsoft.Adfs.Powershell

***4. Execute the following command to export the Issuance Transform Rules to file:

         ***(Get-AdfsRelyingPartyTrust -Name "name-from-step-1").IssuanceTransformRules | Out-File "C:\RP-name-from-step-1-Issuance-Transform-Rules.txt"

         *Note: Replace "name-from-step-1" and "C:\RP-name-from-step-1-Issuance-Transform-Rules.txt" to reflect the name of the Relying Party trust you have chosen.

  1. Execute the following command to export the Issuance Authorization Rules to file:

         (Get-AdfsRelyingPartyTrust -Name "name-from-step-1").IssuanceAuthorizationRules | Out-File "C:\RP-name-from-step-1-Issuance-Authorization-Rules.txt"

         *Note: Replace "name-from-step-1" and "C:\RP-name-from-step-1-Issuance-Authorization-Rules.txt" to reflect the name of the Relying Party trust you have chosen.

  1. Execute the following command to export the Delegation Authorization Rules to file:

         ***(Get-AdfsRelyingPartyTrust -Name "name-from-step-1").DelegationAuthorizationRules | Out-File "C:\RP-name-from-step-1-Delegation-Authorization-Rules.txt"

         *Note: Replace "name-from-step-1" and "C:\RP-name-from-step-1-Delegation-Authorization-Rules.txt" to reflect the name of the Relying Party trust you have chosen.

Import claim rules from file to a Relying Party trust

  1. Using the AD FS 2.0 MMC console, identify the Relying Party trust name to which the claim rules will be imported
  2. Launch and administrative Powershell window
  3. Execute the following command to import the AD FS 2.0 Powershell snap-in:

         ***Add-PsSnapin Microsoft.Adfs.Powershell

***4. Execute the following command to import the Issuance Transform Rules from file to the Relying Party trust:

         ***Set-AdfsRelyingPartyTrust -TargetName "name-from-step-1" -IssuanceTransformRulesFile "C:\RP-name-from-step-1-Issuance-Transform-Rules.txt"

         *Note: Replace "name-from-step-1" and "C:\RP-name-from-step-1-Issuance-Transform-Rules.txt" to reflect the name of the Relying Party trust you have chosen.

  1. Execute the following command to import the Issuance Authorization Rules from file to the Relying Party trust:

         ***Set-AdfsRelyingPartyTrust -TargetName "name-from-step-1" -IssuanceAuthorizationRulesFile "C:\RP-name-from-step-1-Issuance-Authorization-Rules.txt"

         *Note: Replace "name-from-step-1" and "C:\RP-name-from-step-1-Issuance-Authorization-Rules.txt" to reflect the name of the Relying Party trust you have chosen.

  1. Execute the following command to import the Delegation Authorization Rules from file to the Relying Party trust:

         Set-AdfsRelyingPartyTrust -TargetName "name-from-step-1" -DelegationAuthorizationRulesFile "C:\RP-name-from-step-1-Delegation-Authorization-Rules.txt"

         *Note: Replace "name-from-step-1" and "C:\RP-name-from-step-1-Delegation-Authorization-Rules.txt" to reflect the name of the Relying Party trust you have chosen.