Last active
September 25, 2024 07:12
-
-
Save AlainODea/7bc9a0e6c04a19606eeaa4f0b99b8893 to your computer and use it in GitHub Desktop.
PowerShell scripts for pulling SAML IdP and SP settings from metadata, with AD FS and Okta examples. Get the last (or only) signing key from WS-Federation FederationMetadata.xml like AD FS publishes for signature certificate rollover (PowerShell)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Get settings to enter on the Identity Provider (IdP) to allow authentication to Service Provider (SP) | |
function Get-IdP-Settings-From-SP($Metadata) { | |
[xml]$SPMetadata = $Metadata | |
$SPAssertionConsumerServiceURL = $SPMetadata.EntityDescriptor.SPSSODescriptor.AssertionConsumerService | | |
? {$_.Binding -eq "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"} | | |
% {$_.Location} | |
$SPIssuerURI = $SPMetadata.EntityDescriptor.entityID | |
$SPSignatureCertificate = $SPMetadata.EntityDescriptor.SPSSODescriptor.KeyDescriptor | | |
? {$_.use -eq "signing"} | | |
Select-Object -Last 1 | | |
% {$_.KeyInfo.X509Data.X509Certificate} | |
Write-Host "SP Issuer URI: $SPIssuerURI" | |
Write-Host "SP Assertion Consumer Service URL: $SPAssertionConsumerServiceURL" | |
Write-Host "SP Signature Certificate:" | |
Write-Host $SPSignatureCertificate | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Get settings to enter on the Service Provider (SP) to have it trust your Identity Provider (IdP) | |
function Get-SP-Settings-From-IdP($Metadata) { | |
[xml]$IdPMetadata = $Metadata | |
$IdPSingleSignOnURL = $IdPMetadata.EntityDescriptor.IDPSSODescriptor.SingleSignOnService | | |
? {$_.Binding -eq "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"} | | |
% {$_.Location} | |
$IdPIssuerURI = $IdPMetadata.EntityDescriptor.entityID | |
$IdPSignatureCertificate = $IdPMetadata.EntityDescriptor.IDPSSODescriptor.KeyDescriptor | | |
? {$_.use -eq "signing"} | | |
Select-Object -Last 1 | | |
% {$_.KeyInfo.X509Data.X509Certificate} | |
Write-Host "IdP Issuer URI: $IdPIssuerURI" | |
Write-Host "IdP Single Sign-On URL: $IdPSingleSignOnURL" | |
Write-Host "IdP Signature Certificate:" | |
Write-Host $IdPSignatureCertificate | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Get settings to enter on the Service Provider (SP) to have it trust your Identity Provider (IdP) | |
# AD FS is the IdP. Replace idp-fs.contoso.com with your IdP AD FS hostname | |
$FederationMetadataUri = "https://idp-fs.contoso.com/federationmetadata/2007-06/federationmetadata.xml" | |
Get-SP-Settings-From-IdP (Invoke-RestMethod -Uri $FederationMetadataUri) | |
# Get settings to enter on the Identity Provider (IdP) to allow authentication to Service Provider (SP) | |
# AD FS is the IdP. Replace sp-fs.contoso.com with your SP AD FS hostname | |
$FederationMetadataUri = "https://sp-fs.contoso.com/federationmetadata/2007-06/federationmetadata.xml" | |
Get-IdP-Settings-From-SP (Get-Content 'metadata.xml') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Get settings to enter on the Service Provider (SP) to have it trust your Identity Provider (IdP) | |
# Download the metadata file from your IdP: | |
# In the Okta Admin console: | |
# 1. Navigate to the SAML 2.0 app you created | |
# 2. Switch to that app's Sign-On tab | |
# 3. Click the Identity Provider Metadata link | |
# 4. Rename the downloaded file to idp_metadata.xml | |
Get-SP-Settings-From-IdP (Get-Content 'idp_metadata.xml') | |
# Get settings to enter on the Identity Provider (IdP) to allow authentication to Service Provider (SP) | |
# Download the metadata file from your SP: | |
# In the Okta Admin console: | |
# 1. Navigate to the SAML 2.0 Identity Provider you created | |
# 2. Switch to that app's Sign-On tab | |
# 3. Click Download Metadata link | |
# 4. Rename the downloaded file to sp_metadata.xml | |
Get-IdP-Settings-From-SP (Get-Content 'sp_metadata.xml') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What module of powershell are you using or importing?