我在带有 SAML 2.0 的 Windows Server 2012 中使用 ADFS 为 MVC 应用程序实现 SSO。我开始遇到这个错误,我无法找到解决方法。我究竟做错了什么?
The Federation Service could not authorize token issuance for caller 'xxx\xxxx
'. The caller is not authorized to request a token for the relying party 'https://example.com/SampleMvcApplication/AuthServices'. Please see event 501 with the same instance id for caller identity.
Additional Data
Instance id: xyz
Relying party: https://example.com/SampleMvcApplication/AuthServices
Exception details:
Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity System.Security.Claims.ClaimsIdentity for relying party trust https://example.com/SampleMvcApplication/AuthServices.
at System.IdentityModel.AsyncResult.End(IAsyncResult result)
at System.IdentityModel.TypedAsyncResult`1.End(IAsyncResult result)
at System.IdentityModel.SecurityTokenService.EndIssue(IAsyncResult result)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)
User Action
Use the AD FS Management snap-in to ensure that the caller is authorized to request a token for the relying party.