This question likely doesn't require actual knowledge of ADFS, but I'm providing that for context. The command "Set-AdfsRelyingPartyTrust -Name X -SamlEndpoint Y" overwrites all SAML endpoints with what you specify. What I'd like to do is create a script that takes the existing SAML endpoints and sets them as variables so that I can then add them all back along with the new endpoint.
If there's only one existing endpoint, I can put it into a variable using this and it works:
$EP = New-AdfsSamlEndpoint -Binding "POST" -Protocol "SAMLAssertionConsumer" -Uri "https://test.com" -Index 1
$EP1 = Get-ADFSRelyingPartyTrust -Name "X" | Select-Object -ExpandProperty SamlEndpoints
Set-AdfsRelyingPartyTrust -TargetName "PsTest" -SamlEndpoint $EP,$EP1
The problem with this is that, if multiple endpoints exist, expand-property returns them all as a single value which breaks the function. Using "-limit 1" doesn't work because the whole output of expand-property is considered 1.
What I can do is to generate a numbered list of each index value using this command:
Get-AdfsRelyingPartyTrust -Name "X" | Select-Object -ExpandProperty SamlEndpoints | Select-Object -ExpandProperty Index
and then create a unique variable for each corresponding index value
$EP1 = Get-ADFSRelyingPartyTrust -Name "X" | Select-Object -ExpandProperty SamlEndpoints | Where-Object {$_.Index -eq 2}
But in order to completely script this rather than setting variables by hand, I'd need automate setting "$_.Index -eq" to each index value that's output from "-ExpandProperty Index", and to assign a unique variable to each of those, which is where I'm stuck. What's the best way to approach this?
Take the following code as an example. This code reads the input of the first three variables and then creates new endpoints based on the input.
In this example, we prepare the new endpoints in variable $NewSamlEndpoints
. For each URL that you define, we add a new SAML endpoint, i.e. a POST binding or Artifact binding. Analogous for the logout URLs. Simply comment out or modify the endpoint types that you do not need.
$NewACSEndpoints = 'https://...', 'https://...'
$NewLogoutEndpoints = 'https://...', 'https://...'
$RelyingPartyName = 'My App'
$RelyingParty = Get-AdfsRelyingPartyTrust -Name $RelyingPartyName
$SamlEndpoints = $RelyingParty.SamlEndpoints
$HighestIndex = ($SamlEndpoints.Index | Measure-Object -Maximum).Maximum
$NewSamlEndpoints = $SamlEndpoints
foreach ($ACSEndpoint in $NewACSEndpoints) {
$HighestIndex++
$NewSamlEndpoints += (New-AdfsSamlEndpoint -Binding POST -Protocol SAMLAssertionConsumer -Uri $ACSEndpoint -Index $HighestIndex -IsDefault $false)
$HighestIndex++
$NewSamlEndpoints += (New-AdfsSamlEndpoint -Binding Artifact -Protocol SAMLAssertionConsumer -Uri $ACSEndpoint -Index $HighestIndex -IsDefault $false)
}
foreach ($LogoutEndpoint in $NewLogoutEndpoints) {
$NewSamlEndpoints += (New-AdfsSamlEndpoint -Binding POST -Protocol SAMLLogout -Uri $LogoutEndpoint)
$NewSamlEndpoints += (New-AdfsSamlEndpoint -Binding Redirect -Protocol SAMLLogout -Uri $LogoutEndpoint)
}
Set-AdfsRelyingPartyTrust -TargetName $RelyingPartyName -SamlEndpoint $NewSamlEndpoints