0

我在带有 SAML 2.0 的 Windows Server 2012 中使用 ADFS 为 MVC 应用程序实现 SSO。我开始遇到这个错误,我无法找到解决方法。我究竟做错了什么?

The Federation Service could not authorize token issuance for caller 'xxx\xxxx
'. The caller is not authorized to request a token for the relying party 'https://example.com/SampleMvcApplication/AuthServices'. Please see event 501 with the same instance id for caller identity. 

Additional Data 
Instance id: xyz 
Relying party: https://example.com/SampleMvcApplication/AuthServices 
Exception details: 
Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity System.Security.Claims.ClaimsIdentity for relying party trust https://example.com/SampleMvcApplication/AuthServices.
   at System.IdentityModel.AsyncResult.End(IAsyncResult result)
   at System.IdentityModel.TypedAsyncResult`1.End(IAsyncResult result)
   at System.IdentityModel.SecurityTokenService.EndIssue(IAsyncResult result)
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage) 
User Action 
Use the AD FS Management snap-in to ensure that the caller is authorized to request a token for the relying party.
4

2 回答 2

1

在此服务提供商 (SP) 的信赖方信任 (RPT) 中,查看颁发授权规则选项卡。您需要至少一个规则来发布声明类型http://schemas.microsoft.com/authorization/claims/permit,其值为true,并且没有声明发布声明类型http://schemas.microsoft.com/ authorization/claims/deny的值为true,但从技术上讲,我认为两者都不需要任何值。如果允许所有用户进入您的 SP 的前门,您可以使用 Add Rule 下名为Permit All Users的规则模板。

于 2018-03-14T16:09:47.880 回答
1

您需要允许该用户使用 ADFS 中配置的信赖方。

ADFS 管理 -> 信赖方信任 -> 右键单击​​您的信赖方 -> 编辑声明规则 -> 颁发授权规则 -> 添加规则 -> 允许所有用户访问。

于 2019-05-10T10:05:38.520 回答