Working with ADFS I find it handy to be able to backup and restore the claim rules of an application. Doing this allows me to confidently make my changes, knowing that I can get back to where I was. Being able to do this without involving anyone else or causing downtime for other applications is key.
It is for these reasons I’ve decided to create some PowerShell scripts. These allow easy creation backups of backups and methods for performing a restore.
Backing up claims
The following script will create a text-file containing the claims of the specified application.
#Variables
$SourceRPTName = 'Your relaying party trust name'
$SaveFolder = 'C:\ADFSBackup\Claims\'
$Date = Get-Date -Format yyyyMMdd
$Count = 0
#Read the RPTs claims
$Claims = (Get-AdfsRelyingPartyTrust -Name $SourceRPTName).IssuanceTransformRules
#Ensure nothing is overwritten
while (Test-Path ($SaveFolder + $SourceRPTName + '-' + $Date + '-' + $Count + '.txt')) {
$Count++
}
#Write the claims to file
$Claims | Out-File ($SaveFolder + $SourceRPTName + '-' + $Date + '-' + $Count + '.txt')
Restore claims from backup
Below is the simple script I use to restore my claim backups.
$TargetRPTName = 'Your relaying party trust name'
$ClaimBackupPath = 'C:\ADFSBackup\Claims\Application-20200226-0.txt'
#Read the claim backup
[string]$ClaimBackup = Get-Content $ClaimBackupPath
#If import was successfull, overwrite the target RPTs claims
if ($ClaimBackup){
Set-AdfsRelyingPartyTrust -TargetName $TargetRPTName -IssuanceTransformRules $ClaimBackup
}
The scripts are also very useful when moving applications to new ADFS environments or making sure stage and production environments match.
If you need to copy claims between applications on the same server I suggest using this script from the PowerShell gallery.
Hello …thanks for sharing this .. just a couple of questions
What about the certificate? do we need reinstall it after did the restore?
I have on Relying Party Trust on production but user wants to have the same for test purpose. Is possible to use the Restore option but changing the value on ” TargetRPTName ” with the name that we want?
Thanks !!
Hi Benjamin,
The scripts here will only backup the claims for a RPT not the RPT itself, hence it does not backup or restore the certificates associated with the RPT. You can use the script to copy the claims configuration between prod and test but the appropriate RPT needs to be created first. Using a different names for source and target will work just fine.
Good luck!