Created
November 9, 2015 16:09
-
-
Save joostd/a6f9332e1ee47b01242f to your computer and use it in GitHub Desktop.
XSLT transformation to generate powershell configuration scripts for federated Microsoft Azure AD domains using the SAML 2.0 protocol.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <xsl:stylesheet | |
| version="1.0" | |
| xmlns:xsl="http://www.w3.org/1999/XSL/Transform" | |
| xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" | |
| xmlns:ds="http://www.w3.org/2000/09/xmldsig#" | |
| > | |
| <!-- | |
| Convert SAML 2.0 IdP Metadata into Microsoft Azure Powershell commands for Office 365 federated domain configuration | |
| example usage: | |
| xsltproc ‐‐stringparam domain "my-domain.org" ‐‐stringparam entityID "my-entityID" ps.xslt metadataURL | |
| For SURFconext, use https://engine.surfconext.nl/authentication/proxy/idps-metadata | |
| --> | |
| <xsl:output method="text"/> | |
| <xsl:param name="domain" select="'example.org'"/> | |
| <xsl:param name="entityID"/> | |
| <xsl:template match="/"> | |
| $msolcred = get-credential | |
| connect-msolservice -credential $msolcred | |
| $dom = "<xsl:value-of select="$domain"/>" | |
| <!-- SLO safe default --> | |
| $slo = "https://engine.surfconext.nl/logout" | |
| <xsl:apply-templates select="//md:EntityDescriptor"/> | |
| Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $dom -Authentication Federated -PassiveLogOnUri $sso -SigningCertificate $crt -IssuerUri $idp -LogOffUri $slo -PreferredAuthenticationProtocol SAMLP | |
| </xsl:template> | |
| <xsl:template match="md:EntityDescriptor"> | |
| <xsl:if test='$entityID="" and count(preceding-sibling::md:EntityDescriptor)=0 or @entityID=$entityID'> | |
| $idp = "<xsl:value-of select="@entityID"/>" | |
| <xsl:apply-templates select="md:IDPSSODescriptor"/> | |
| </xsl:if> | |
| <!-- | |
| $idp = "<xsl:value-of select="@entityID"/>" | |
| <xsl:apply-templates select="md:IDPSSODescriptor"/> | |
| --> | |
| </xsl:template> | |
| <xsl:template match="md:KeyDescriptor[@use='signing']"> | |
| $crt = "<xsl:value-of select="ds:KeyInfo/ds:X509Data/ds:X509Certificate"/>" | |
| </xsl:template> | |
| <xsl:template match="md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']"> | |
| $sso = "<xsl:value-of select="@Location"/>" | |
| </xsl:template> | |
| <xsl:template match="md:SingleLogoutService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']"> | |
| $slo = "<xsl:value-of select="@Location"/>" | |
| </xsl:template> | |
| <xsl:template match="text()|*"> | |
| <!-- | |
| <xsl:value-of select="local-name()"/> | |
| --> | |
| <xsl:apply-templates/> | |
| </xsl:template> | |
| </xsl:stylesheet> |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For SURFconext, use:
curl -s https://engine.surfconext.nl/authentication/proxy/idps-metadata | xsltproc --stringparam domain "my-domain.org" --stringparam entityID "my-entityID" msol-surfconext-powershell.xslt -