我在Windows Server 2012中使用ADFS和SAML 2.0来为MVC应用程序实现SSO。我开始得到这个错误,我无法找到解决方法。我做错了什么?
The Federation Service could not authorize token issuance for caller 'xxx\xxxx
'. The caller is not authorized to request a token for the relying party 'https://example.com/SampleMvcApplication/AuthServices'. Please see event 501 with the same instance id for caller identity.
Additional Data
Instance id: xyz
Relying party: https://example.com/SampleMvcApplication/AuthServices
Exception details:
Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity System.Security.Claims.ClaimsIdentity for relying party trust https://example.com/SampleMvcApplication/AuthServices.
at System.IdentityModel.AsyncResult.End(IAsyncResult result)
at System.IdentityModel.TypedAsyncResult`1.End(IAsyncResult result)
at System.IdentityModel.SecurityTokenService.EndIssue(IAsyncResult result)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)
User Action
Use the AD FS Management snap-in to ensure that the caller is authorized to request a token for the relying party.
答案 0 :(得分:1)
在此服务提供商(SP)的信赖方信任(RPT)中,请查看“颁发授权规则”选项卡。您至少需要一条规则才能发出声明类型 http://schemas.microsoft.com/authorization/claims/permit ,其值为 true ,并且没有声明发出声明输入 http://schemas.microsoft.com/authorization/claims/deny ,其值为 true ,但从技术上讲,我不相信任何值都需要。如果允许所有用户进入SP的前门,您可以使用名为 允许所有用户
的添加规则下的规则模板。答案 1 :(得分:1)
您需要允许该用户作为ADFS中配置的依赖方。
ADFS管理->信赖方信任->右键单击您的信赖方->编辑索赔规则->发行授权规则->添加规则->允许所有用户访问。