precurse/adfs_SAML.ps1

## adfs_SAML.ps1
## Please Update this for your schacHomeOrganization
$homeorg = "school.example.ca"
$metadataurl = "https://engine.openconext.example.com/authentication/sp/metadata"
# Group that includes all users (Used as workaround for schacHomeOrganization)
$group_all = "Domain Users"

Add-AdfsClaimDescription -ClaimType "urn:oid:2.16.840.1.113730.3.1.241" -Name "oid - Display Name"
Add-AdfsClaimDescription -ClaimType "urn:oid:0.9.2342.19200300.100.1.3" -Name "oid - Email"
Add-AdfsClaimDescription -ClaimType "urn:oid:2.5.4.42" -Name "oid - givenName"
Add-AdfsClaimDescription -ClaimType "urn:oid:2.5.4.4" -Name "oid - surName"
Add-AdfsClaimDescription -ClaimType "urn:oid:1.3.6.1.4.1.25178.1.2.9" -Name "oid - schacHomeOrganization"
Add-AdfsClaimDescription -ClaimType "urn:oid:1.3.6.1.4.1.5923.1.1.1.6" -Name "oid - eduPersonPrincipalName"


$group_o = Get-ADGroup $group_all
$group_var = $group_o.SID.value
$rules = @"
 @RuleTemplate = "LdapClaims"
 @RuleName = "OpenConext"
 c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
 Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types =
 ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
 "urn:oid:1.3.6.1.4.1.5923.1.1.1.6","urn:oid:0.9.2342.19200300.100.1.3", "urn:oid:2.16.840.1.113730.3.1.241",
 "urn:oid:2.5.4.4", "urn:oid:2.5.4.42"),
 query = ";userPrincipalName,userPrincipalName,mail,displayName,sn,givenName;{0}", param = c.Value);
 @RuleTemplate = "EmitGroupClaims"
 @RuleName = "schacHomeOrg"
 c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",Value == "$group_var", Issuer == "AD AUTHORITY"]
 => issue(Type = "urn:oid:1.3.6.1.4.1.25178.1.2.9", Value = "$homeorg", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);
"@
$authRules = @'
 @RuleTemplate = "AllowAllAuthzRule"
 => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit",
 Value = "true");
'@

 Add-AdfsRelyingPartyTrust -Name "OpenConext" -AutoUpdateEnabled $true -MetadataUrl $metadataurl -MonitoringEnabled $true -Enabled $true -IssuanceTransformRules $rules -IssuanceAuthorizationRules $authRules
	## Please Update this for your schacHomeOrganization
	$homeorg = "school.example.ca"
	$metadataurl = "https://engine.openconext.example.com/authentication/sp/metadata"
	# Group that includes all users (Used as workaround for schacHomeOrganization)
	$group_all = "Domain Users"

	Add-AdfsClaimDescription -ClaimType "urn:oid:2.16.840.1.113730.3.1.241" -Name "oid - Display Name"
	Add-AdfsClaimDescription -ClaimType "urn:oid:0.9.2342.19200300.100.1.3" -Name "oid - Email"
	Add-AdfsClaimDescription -ClaimType "urn:oid:2.5.4.42" -Name "oid - givenName"
	Add-AdfsClaimDescription -ClaimType "urn:oid:2.5.4.4" -Name "oid - surName"
	Add-AdfsClaimDescription -ClaimType "urn:oid:1.3.6.1.4.1.25178.1.2.9" -Name "oid - schacHomeOrganization"
	Add-AdfsClaimDescription -ClaimType "urn:oid:1.3.6.1.4.1.5923.1.1.1.6" -Name "oid - eduPersonPrincipalName"


	$group_o = Get-ADGroup $group_all
	$group_var = $group_o.SID.value
	$rules = @"
	@RuleTemplate = "LdapClaims"
	@RuleName = "OpenConext"
	c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
	Issuer == "AD AUTHORITY"]
	=> issue(store = "Active Directory", types =
	("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
	"urn:oid:1.3.6.1.4.1.5923.1.1.1.6","urn:oid:0.9.2342.19200300.100.1.3", "urn:oid:2.16.840.1.113730.3.1.241",
	"urn:oid:2.5.4.4", "urn:oid:2.5.4.42"),
	query = ";userPrincipalName,userPrincipalName,mail,displayName,sn,givenName;{0}", param = c.Value);
	@RuleTemplate = "EmitGroupClaims"
	@RuleName = "schacHomeOrg"
	c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",Value == "$group_var", Issuer == "AD AUTHORITY"]
	=> issue(Type = "urn:oid:1.3.6.1.4.1.25178.1.2.9", Value = "$homeorg", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);
	"@
	$authRules = @'
	@RuleTemplate = "AllowAllAuthzRule"
	=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit",
	Value = "true");
	'@

	Add-AdfsRelyingPartyTrust -Name "OpenConext" -AutoUpdateEnabled $true -MetadataUrl $metadataurl -MonitoringEnabled $true -Enabled $true -IssuanceTransformRules $rules -IssuanceAuthorizationRules $authRules