The Add-AdfsClaimsProviderTrust cmdlet adds a new claims provider trust to the Federation Service.
Use this cmdlet when users from a partner organization need to access resources (relying parties) protected by the Active Directory Federation Services (AD FS) service.
You can specify a claims provider trust manually, or you can provide a federation metadata document to bootstrap initial configuration.
In Windows Server 2016, AD FS supports the prompt=login parameter.
When AD FS is acting as a federation provider, these new properties on the claims provider trust determine how AD FS handles the parameter.
This command adds a claims provider trust named Fabrikam that has the specified metadata URL to the Federation Service.
Parameters
-AcceptanceTransformRules
Specifies the claim acceptance transform rules for accepting claims from this claims provider.
These rules determine the information that is accepted from the partner represented by the claims provider trust.
Parameter properties
Type:
String
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
True
Value from remaining arguments:
False
-AcceptanceTransformRulesFile
Specifies a file that contains the claim acceptance transform rules for accepting claims from the claims provider.
Parameter properties
Type:
String
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-AllowCreate
Indicates whether the Security Assertion Markup Language (SAML) parameter AllowCreate is sent in SAML requests to the claims provider.
The default values $True.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-AnchorClaimType
The Add-AdfsClaimsProviderTrust cmdlet adds a new claims provider trust to the Federation Service.
Use this cmdlet when users from a partner organization need to access resources (relying parties) protected by the Active Directory Federation Services (AD FS) service.
You can specify a claims provider trust manually, or you can provide a federation metadata document to bootstrap initial configuration.
In Windows Server 2016, AD FS supports the prompt=login parameter.
When AD FS is acting as a federation provider, these new properties on the claims provider trust determine how AD FS handles the parameter.
Parameter properties
Type:
String
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-AutoUpdateEnabled
Indicates whether changes to the federation metadata by the MetadataURL parameter apply automatically to the configuration of the trust relationship.
If this parameter has a value of $True, partner claims, certificates, and endpoints are updated automatically.
Note: When auto-update is enabled, fields that can be overwritten by metadata become read only.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ClaimOffered
Specifies an array of claims that are offered by this claims provider.
Parameter properties
Type:
ClaimDescription[]
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
AllProperties
Position:
Named
Mandatory:
False
Value from pipeline:
True
Value from pipeline by property name:
False
Value from remaining arguments:
False
-Confirm
Prompts you for confirmation before running the cmdlet.
Parameter properties
Type:
SwitchParameter
Default value:
False
Supports wildcards:
False
DontShow:
False
Aliases:
cf
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-CustomMFAUri
The Add-AdfsClaimsProviderTrust cmdlet adds a new claims provider trust to the Federation Service.
Use this cmdlet when users from a partner organization need to access resources (relying parties) protected by the Active Directory Federation Services (AD FS) service.
You can specify a claims provider trust manually, or you can provide a federation metadata document to bootstrap initial configuration.
In Windows Server 2016, AD FS supports the prompt=login parameter.
When AD FS is acting as a federation provider, these new properties on the claims provider trust determine how AD FS handles the parameter.
Parameter properties
Type:
Uri
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
AllProperties
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-Enabled
Indicates whether the claims provider trust is enabled or disabled.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-EncryptedNameIdRequired
Indicates whether the relying party requires that the NameID claim be encrypted.
This setting applies to SAML logout requests.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-EncryptionCertificate
Specifies the certificate to be used for encrypting a NameID to this claims provider in SAML logout requests.
Encrypting the NameID is optional.
Parameter properties
Type:
X509Certificate2
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
AllProperties
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-EncryptionCertificateRevocationCheck
Specifies the type of validation that occurs for the encryption certificate before it is used for encrypting claims.
The acceptable values for this parameter are:
Specifies the unique identifier for this claims provider trust.
No other trust can use an identifier from this list.
Uniform Resource Identifiers (URIs) are often used as unique identifiers for a claims provider trust, but you can use any string of characters.
Parameter properties
Type:
String
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
AllProperties
Position:
Named
Mandatory:
True
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-MetadataFile
Specifies a file path, such as c:\metadata.xml, that contains the federation metadata to be used when this claims provider trust is created.
Parameter properties
Type:
String
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
MetadataFile
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-MetadataUrl
Specifies a URL at which the federation metadata for this claims provider trust is available.
Parameter properties
Type:
Uri
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
MetadataUrl
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-MonitoringEnabled
Indicates whether periodic monitoring of this claims provider's federation metadata is enabled.
The URL of the claims provider's federation metadata is specified by the MetadataUrl parameter.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-Name
Specifies the friendly name of this claims provider trust.
Parameter properties
Type:
String
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
True
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-Notes
Specifies notes for this claims provider trust.
Parameter properties
Type:
String
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-OrganizationalAccountSuffix
Specifies an array of organizational account suffixes an administrator can configure for the claims provider trust for a Home Realm Discovery (HRD) scenario.
Parameter properties
Type:
String[]
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-PassThru
Returns an object representing the item with which you are working.
By default, this cmdlet does not generate any output.
Parameter properties
Type:
SwitchParameter
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-PromptLoginFallbackAuthenticationType
Specifies a fallback authentication type for a prompt login request.
Parameter properties
Type:
String
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-PromptLoginFederation
The acceptable values for this parameter are:
None.
Do not federate prompt=login request and error instead.
FallbackToProtocolSpecificParameters.
Translate prompt=login to wfresh=0 and Wauth=forms during federation.
If wauth is present in the original request, it will be preserved.
ForwardPromptAndHintsOverWsFederation.
Forward prompt, login_hint, and domain_hint parameters during federation.
Specifies which protocol profiles the claims provider supports.
The acceptable values for this parameter are:
SAML
WsFederation
WsFed-SAML.
The default value is WsFed-SAML.
Parameter properties
Type:
String
Default value:
None
Accepted values:
WSFederation, WsFed-SAML, SAML
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-RequiredNameIdFormat
Specifies the format that is required for NameID claims to be included in SAML requests to the claims provider.
By default, no format is required.
Parameter properties
Type:
Uri
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-SamlAuthenticationRequestIndex
Specifies the value of AssertionConsumerServiceIndex that will be placed in SAML authentication requests that are sent to the claims provider.
Parameter properties
Type:
UInt16
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-SamlAuthenticationRequestParameters
Specifies which of the following parameters to use in SAML authentication requests to the claims provider: AssertionConsumerServiceIndex, AssertionConsumerServiceUrl, and ProtocolBinding.The acceptable values for this parameter are:
Indicates whether the Federation Service requires signed SAML protocol requests from the relying party.
If you specify a value of $True, the Federation Service rejects unsigned SAML protocol requests.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-SigningCertificateRevocationCheck
Specifies the type of certificate validation that occurs when signatures are verified on responses or assertions from the claims provider.
The acceptable values for this parameter are:
The Add-AdfsClaimsProviderTrust cmdlet adds a new claims provider trust to the Federation Service.
Use this cmdlet when users from a partner organization need to access resources (relying parties) protected by the Active Directory Federation Services (AD FS) service.
You can specify a claims provider trust manually, or you can provide a federation metadata document to bootstrap initial configuration.
In Windows Server 2016, AD FS supports the prompt=login parameter.
When AD FS is acting as a federation provider, these new properties on the claims provider trust determine how AD FS handles the parameter.
Parameter properties
Type:
SwitchParameter
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
AllProperties
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-TokenSigningCertificate
Specifies an array of token-signing certificates that the claims provider uses.
Parameter properties
Type:
X509Certificate2[]
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
AllProperties
Position:
Named
Mandatory:
True
Value from pipeline:
True
Value from pipeline by property name:
False
Value from remaining arguments:
False
-WhatIf
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
Parameter properties
Type:
SwitchParameter
Default value:
False
Supports wildcards:
False
DontShow:
False
Aliases:
wi
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-WSFedEndpoint
Specifies the WS-Federation Passive URL for this claims provider.
Parameter properties
Type:
Uri
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
AllProperties
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
-InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable,
-ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see
about_CommonParameters.
Returns the new ClaimsProviderTrust object when the PassThru parameter is specified. By default, this cmdlet does not generate any output.
Notes
The claims provider is responsible for collecting and authenticating a user's credentials, building up claims for that user, and packaging the claims into security tokens or Information Cards. In other words, a claims provider represents the organization for whose users the claims provider issues security tokens or Information Cards on their behalf. When you configure Active Directory Federation Services (AD FS) to use federation services, the role of the claims provider is to enable its users to access resources that a relying party organization hosts by establishing one side of a federation trust relationship. After the trust is established, tokens and Information Cards can be presented to the relying party across the federation trust.