Creating a relying party trust using Windows PowerShell

You can use Windows PowerShell to quickly create one or more relying party trusts.

Before you begin

About this task

These instructions apply to AD FS 4.0, which is included with Windows Server 2016. If you are using AD FS 3.0, which is included with Windows 2012 R2, you will notice slight differences in the procedure. See the Microsoft AD FS documentation if you have questions.

Steps

  1. From the Windows start menu, right-click the PowerShell icon, and select Run as Administrator.
  2. At the PowerShell command prompt, enter the following command:Add-AdfsRelyingPartyTrust -Name "Admin_Node_Identifer" -MetadataURL "https://Admin_Node_FQDN/api/saml-metadata"
    • For Admin_Node_Identifier, enter the Relying Party Identifier for the Admin Node, exactly as it appears on the Single Sign-on page. For example, SG-DC1-ADM1.

    • For Admin_Node_FQDN, enter the fully qualified domain name for the same Admin Node. (If necessary, you can use the node’s IP address instead. However, if you enter an IP address here, be aware that you must update or recreate this relying party trust if that IP address ever changes.)
  3. From Windows Server Manager, select Tools > AD FS Management.
    The AD FS management tool appears.
  4. Select AD FS > Relying Party Trusts.
    The list of relying party trusts appears.
  5. Add an Access Control Policy to the newly created relying party trust:
    1. Locate the relying party trust you just created.
    2. Right-click the trust, and select Edit Access Control Policy.
    3. Select an Access Control Policy.
    4. Click Apply, and click OK
  6. Add a Claim Issuance Policy to the newly created Relying Party Trust:
    1. Locate the relying party trust you just created.
    2. Right-click the trust, and select Edit claim issuance policy.
    3. Click Add rule.
    4. On the Select Rule Template page, select Send LDAP Attributes as Claims from the list, and click Next.
    5. On the Configure Rule page, enter a display name for this rule.
      For example, ObjectGUID to Name ID.
    6. For the Attribute Store, select Active Directory.
    7. In the LDAP Attribute column of the Mapping table, type objectGUID.
    8. In the Outgoing Claim Type column of the Mapping table, select Name ID from the drop-down list.
    9. Click Finish, and click OK.
  7. Confirm that the metadata was imported successfully.
    1. Right-click the relying party trust to open its properties.
    2. Confirm that the fields on the Endpoints, Identifiers, and Signature tabs are populated.
      If the metadata is missing, confirm that the Federation metadata address is correct, or simply enter the values manually.
  8. Repeat these steps to configure a relying party trust for all of the Admin Nodes in your StorageGRID system.
  9. When you are done, return to StorageGRID and test all relying party trusts to confirm they are configured correctly.