The Add-AdfsRelyingPartyTrust cmdlet adds a new relying party trust to the Federation Service.
You can specify a relying party trust manually, or you can provide a federation metadata document to bootstrap initial configuration.
This command adds a relying party trust named Fabrikam for federation.
Parameters
-AccessControlPolicyName
Specifies the name of an access control policy.
Parameter properties
Type:
String
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
True
Value from remaining arguments:
False
-AccessControlPolicyParameters
The Add-AdfsRelyingPartyTrust cmdlet adds a new relying party trust to the Federation Service.
You can specify a relying party trust manually, or you can provide a federation metadata document to bootstrap initial configuration.
Parameter properties
Type:
Object
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
True
Value from remaining arguments:
False
-AdditionalAuthenticationRules
Specifies the additional authorization rules to require additional authentication based on user, device and ___location attributes after the completion of the first step of authentication.
Note: These rules must only be configured after there is at least one authentication provider enabled for additional authentication.
Parameter properties
Type:
String
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
True
Value from remaining arguments:
False
-AdditionalAuthenticationRulesFile
Specifies a file that contains the additional authentication rules to require additional authentication when a user is attempting to access this relying party.
Parameter properties
Type:
String
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-AdditionalWSFedEndpoint
Specifies an array of alternate return addresses for the application.
This is typically used when the application wants to indicate to AD FS what the return URL should be on successful token generation.
AD FS requires that all acceptable URLs are entered as trusted information by the administrator.
Parameter properties
Type:
String[]
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
AllProperties
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-AllowedAuthenticationClassReferences
The Add-AdfsRelyingPartyTrust cmdlet adds a new relying party trust to the Federation Service.
You can specify a relying party trust manually, or you can provide a federation metadata document to bootstrap initial configuration.
Parameter properties
Type:
String[]
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-AllowedClientTypes
Specifies allowed client types.
The acceptable values for this parameter are:
None
Public
Confidential
Parameter properties
Type:
AllowedClientTypes
Default value:
None
Accepted values:
None, Public, Confidential
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-AlwaysRequireAuthentication
Indicates to always require authentication.
Parameter properties
Type:
SwitchParameter
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
True
Value from remaining arguments:
False
-AutoUpdateEnabled
Indicates whether changes to the federation metadata by the MetadataURL parameter apply automatically to the configuration of the trust relationship.
If this parameter has a value of $True, partner claims, certificates, and endpoints are updated automatically.
Note: When auto-update is enabled, fields that can be overwritten by metadata become read only.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ClaimAccepted
Specifies an array of claims that this relying party accepts.
Parameter properties
Type:
ClaimDescription[]
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
AllProperties
Position:
Named
Mandatory:
False
Value from pipeline:
True
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ClaimsProviderName
Specifies an array of claims provider names.
Parameter properties
Type:
String[]
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-Confirm
Prompts you for confirmation before running the cmdlet.
Parameter properties
Type:
SwitchParameter
Default value:
False
Supports wildcards:
False
DontShow:
False
Aliases:
cf
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-DelegationAuthorizationRules
Specifies the delegation authorization rules for issuing claims to this relying party.
Parameter properties
Type:
String
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
True
Value from remaining arguments:
False
-DelegationAuthorizationRulesFile
Specifies a file that contains the delegation authorization rules for issuing claims to this relying party.
Parameter properties
Type:
String
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-Enabled
Indicates whether the relying party trust is enabled.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-EnableJWT
Indicates whether the JSON Web Token (JWT) format should be used to issue a token on a WS-Federation request.
By default, SAML tokens are issued over WS-Federation.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-EncryptClaims
Indicates whether the claims that are sent to the relying party are encrypted.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-EncryptedNameIdRequired
Indicates whether the relying party requires that the NameID claim be encrypted.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-EncryptionCertificate
Specifies the certificate to be used for encrypting claims that are issued to this relying party.
Encrypting claims is optional.
Parameter properties
Type:
X509Certificate2
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
AllProperties
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-EncryptionCertificateRevocationCheck
Specifies the type of validation that should occur for the encryption certificate it is used for encrypting claims to the relying party.
The acceptable values for this parameter are:
Specifies the unique identifiers for this relying party trust.
No other trust can use an identifier from this list.
Uniform Resource Identifiers (URIs) are often used as unique identifiers for a relying party trust, but you can use any string of characters.
Parameter properties
Type:
String[]
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
AllProperties
Position:
Named
Mandatory:
True
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ImpersonationAuthorizationRules
Specifies the impersonation authorization rules for issuing claims to this relying party.
Parameter properties
Type:
String
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
True
Value from remaining arguments:
False
-ImpersonationAuthorizationRulesFile
Specifies the file that contains the impersonation authorization rules for issuing claims to this relying party.
Parameter properties
Type:
String
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-IssuanceAuthorizationRules
Specifies the issuance authorization rules for issuing claims to this relying party.
Parameter properties
Type:
String
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
True
Value from remaining arguments:
False
-IssuanceAuthorizationRulesFile
Specifies the file that contains the issuance authorization rules for issuing claims to this relying party.
Parameter properties
Type:
String
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-IssuanceTransformRules
Specifies the issuance transform rules for issuing claims to this relying party.
Parameter properties
Type:
String
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
True
Value from remaining arguments:
False
-IssuanceTransformRulesFile
Specifies the file that contains the issuance transform rules for issuing claims to this relying party.
Parameter properties
Type:
String
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-IssueOAuthRefreshTokensTo
Specifies the refresh token issuance device types.
The acceptable values for this parameter are:
NoDevice
WorkplaceJoinedDevices
AllDevices
Parameter properties
Type:
RefreshTokenIssuanceDeviceTypes
Default value:
None
Accepted values:
NoDevice, WorkplaceJoinedDevices, AllDevices
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-MetadataFile
Specifies a file path, such as c:\metadata.xml, that contains the federation metadata for this relying party trust.
Parameter properties
Type:
String
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
MetadataFile
Position:
Named
Mandatory:
True
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-MetadataUrl
Specifies a URL at which the federation metadata for this relying party trust is available.
Parameter properties
Type:
Uri
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
MetadataUrl
Position:
Named
Mandatory:
True
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-MonitoringEnabled
Indicates whether periodic monitoring of this relying party federation metadata is enabled.
The MetadataUrl parameter specifies the URL of the relying party federation metadata.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-Name
Specifies the friendly name of this relying party trust.
Parameter properties
Type:
String
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
True
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-NotBeforeSkew
Specifies the skew, as in integer, for the time stamp that marks the beginning of the validity period.
The higher this number is, the further back in time the validity period begins with respect to the time that the claims are issued for the relying party.
By default, this value is 0.
Specify a positive value if validation fails on the relying party because the validity period has not yet begun.
Parameter properties
Type:
Int32
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-Notes
Specifies notes for this relying party trust.
Parameter properties
Type:
String
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-PassThru
Returns an object representing the item with which you are working.
By default, this cmdlet does not generate any output.
Parameter properties
Type:
SwitchParameter
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ProtocolProfile
Specifies which protocol profiles the relying party supports.
The acceptable values for this parameter are:
SAML
WsFederation
WsFed-SAML
The default value is WsFed-SAML.
Parameter properties
Type:
String
Default value:
None
Accepted values:
WsFed-SAML, WSFederation, SAML
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-RefreshTokenProtectionEnabled
Indicates that refresh token protection is enabled.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-RequestMFAFromClaimsProviders
Indicates whether to use the request MFA from claims providers option.
Parameter properties
Type:
SwitchParameter
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
True
Value from remaining arguments:
False
-RequestSigningCertificate
Specifies an array of certificates to be used to verify the signature on a request from the relying party.
Parameter properties
Type:
X509Certificate2[]
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
AllProperties
Position:
Named
Mandatory:
False
Value from pipeline:
True
Value from pipeline by property name:
False
Value from remaining arguments:
False
-SamlEndpoint
Specifies an array of Security Assertion Markup Language (SAML) protocol endpoints for this relying party.
Parameter properties
Type:
SamlEndpoint[]
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
AllProperties
Position:
Named
Mandatory:
False
Value from pipeline:
True
Value from pipeline by property name:
False
Value from remaining arguments:
False
-SamlResponseSignature
Specifies the response signature or signatures that the relying party expects.
The acceptable values for this parameter are:
AssertionOnly
MessageAndAssertion
MessageOnly
Parameter properties
Type:
String
Default value:
None
Accepted values:
AssertionOnly, MessageAndAssertion, MessageOnly
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-SignatureAlgorithm
Specifies the signature algorithm that the relying party uses for signing and verification.
The acceptable values for this parameter are:
Indicates whether the Federation Service requires signed SAML protocol requests from the relying party.
If you specify a value of $True, the Federation Service rejects unsigned SAML protocol requests.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-SigningCertificateRevocationCheck
Specifies the type of certificate validation that occur when signatures on requests from the relying party are verified.
The acceptable values for this parameter are:
Specifies the duration, in minutes, for which the claims that are issued to the relying party are valid.
Parameter properties
Type:
Int32
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-WhatIf
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
Parameter properties
Type:
SwitchParameter
Default value:
False
Supports wildcards:
False
DontShow:
False
Aliases:
wi
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-WSFedEndpoint
Specifies the WS-Federation Passive URL for this relying party.
Parameter properties
Type:
Uri
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
AllProperties
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
-InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable,
-ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see
about_CommonParameters.
String objects are received by the AccessControlPolicyName, AdditionalAuthenticationRules, DelegationAuthorizationRules, ImpersonationAuthorizationRules, IssuanceAuthorizationRules, and IssuanceTransformRules parameters.
Returns the new RelyingPartyTrust object when the PassThru parameter is specified. By default, this cmdlet does not generate any output.
Notes
A relying party in Active Directory Federation Services (AD FS) is an organization in which Web servers that host one or more Web-based applications reside. Tokens and Information Cards that originate from a claims provider can then be presented and ultimately accessed by the Web-based resources that are located in the relying party organization. When AD FS is configured in the role of the relying party, it acts as a partner that trusts a claims provider to authenticate users. Therefore, the relying party accesses the claims that are packaged in security tokens that come from users in the claims provider. In other words, a relying party is the organization whose Web servers are protected by the resource-side federation server. The federation server in the relying party uses the security tokens that the claims provider produces to issue tokens to the Web servers that are located in the relying party.