Get ADFS Token in Powershell

Question

We have an ADFS 2.0 Environment that is used to federate our Active Directory domain with Office 365.

Recently we had an issue where the cluster stopped responding whic

Answer 1

I work on a product that does federated authentication using WS-Federation and WS-Trust. I believe your case is part of our workflow.

Over the years, I've developed PowerShell automation against our SOAP based API, and at some point I consolidate that knowledge into WcfPS module available on the gallery.

The code for the module is open source and although its in script it depends heavily on .net framework classes and assemblies from the System.ServiceModel and System.IdentityModel assemblies. I mention this because most of the apis inside those assemblies are not available from .NET standard 2, so the module unfortunately will not work non windows operating systems. You can also read more about it in my post WCFPS - PowerShell module to work with SOAP endpoints.

This is an example where you can issue symmetric and bearer tokens depending on your service provider requirements and relying party configuration. The code requires basic understanding of federated security flow, setup and terminology.

# Define the ADFS MEX uri 
$adfsMexUri="https://adfs.example.com/adfs/services/trust/mex"

#region Define authentication endpoints. One for windows and one with username/password
$windowsMixed13AuthenticationEndpoint="https://adfs.example.com/adfs/services/trust/13/windowsmixed"
$usernamePasswordMixed13AuthenticationEndpoint="https://adfs.example.com/adfs/services/trust/13/usernamemixed"
#endregion

#region Define service providers for which we want to issue a symmetric and a bearer token respectively
# Symmatric is for SOAP, WS-Trust
# Bearer is for Web, WS-Federation
$soapServiceProviderAppliesTo="https://myserviceprovider/Soap/"
$webServiceProviderAppliesTo="https://myserviceprovider/Web/"
#endregion

# Parse the MEX and locate the service endpoint
$issuerImporter=New-WcfWsdlImporter -Endpoint $adfsMexUri

#region Issue tokens with windows authentications
$issuerEndpoint=$issuerImporter | New-WcfServiceEndpoint -Endpoint $windowsMixed13AuthenticationEndpoint
$soapToken=New-SecurityToken -Endpoint $issuerEndpoint -AppliesTo $soapServiceProviderAppliesTo -Symmetric
$webToken=New-SecurityToken -Endpoint $issuerEndpoint -AppliesTo $webServiceProviderAppliesTo -Bearer  
#endregion

#region Issue tokens with username/password credentials
$credential=Get-Credential
$issuerEndpoint=$issuerImporter | New-WcfServiceEndpoint -Endpoint $usernamePasswordMixed13AuthenticationEndpoint
$soapToken=New-SecurityToken -Endpoint $issuerEndpoint -Credential $credential -AppliesTo $soapServiceProviderAppliesTo -Symmetric
$webToken=New-SecurityToken -Endpoint $issuerEndpoint -Credential $credential -AppliesTo $webServiceProviderAppliesTo -Bearer    
#endregion

Answer 2

This script should get you on your way http://gallery.technet.microsoft.com/scriptcenter/Invoke-ADFSSecurityTokenReq-09e9c90c You will need .Net Framework 4.5

You could also simulate an ADFS logon to Office 365 using the Connect-MSOL cmdlet to connect to a powershell session - if you use an ADFS account an ADFS login will occur.

Answer 3

Essentially, you use the WSTrustChannelFactory, create a channel, and pass it a RequestSecurityToken.

Leandro has a nice, concise sample

You'll need to install Windows Identity Foundation (WIF) if you aren't using .NET 4.5.