The Federation Service could not authorize token issuance for caller 'DOMAIN\Account'

single-sign-on adfs adfs2.0 adfs3.0 adfs2.1
Dimuthu picture Dimuthu · Mar 13, 2018 · Viewed 10.4k times · Source

I am using ADFS in Windows Server 2012 with SAML 2.0 to implement SSO for an MVC application. I started to get this error which I am unable to find a way to solve. What am I doing wrong?

The Federation Service could not authorize token issuance for caller 'xxx\xxxx
'. The caller is not authorized to request a token for the relying party 'https://example.com/SampleMvcApplication/AuthServices'. Please see event 501 with the same instance id for caller identity. 

Additional Data 
Instance id: xyz 
Relying party: https://example.com/SampleMvcApplication/AuthServices 
Exception details: 
Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity System.Security.Claims.ClaimsIdentity for relying party trust https://example.com/SampleMvcApplication/AuthServices.
   at System.IdentityModel.AsyncResult.End(IAsyncResult result)
   at System.IdentityModel.TypedAsyncResult`1.End(IAsyncResult result)
   at System.IdentityModel.SecurityTokenService.EndIssue(IAsyncResult result)
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage) 
User Action 
Use the AD FS Management snap-in to ensure that the caller is authorized to request a token for the relying party.

Answer

Gilligan picture Gilligan · Mar 14, 2018

In the Relying Party Trust (RPT) for this service provider (SP), take a look at the Issuance Authorization Rules tab. You'll need at least one rule to issue the claim type http://schemas.microsoft.com/authorization/claims/permit with a value of true and no claims issuing the claim type http://schemas.microsoft.com/authorization/claims/deny with a value of true, though technically I don't believe any value is needed for either. If all users are allowed to the front door of your SP, you can use the rule template under Add Rule called Permit All Users.

Related questions

Single sign on for .NET application integrated with Active Directory

We have several customer using our web application (not intranet), some customers want their login should be integrated with their organizations Active Directory. They just want that user should login to their windows account and can access the web application …

Read More
What's the difference between ADFS, WIF, WS Federation, SAML, and STS?

These are numerous technologies and buzzwords used for single sign-on with Microsoft services. Can someone explain ADFS, WIF, WS Federation, SAML, and STS (Security token service), including where and when each is being used.

Read More
SAML/ADFS node.js implementation guide?

I'd like to preface this by saying that until now, I hadn't even HEARD of SAML, much less developed a SSO strategy involving it. That, combined with the fact that I've barely been doing node for a year makes for …

Read More