联合身份验证服务无法授权为调用方'DOMAIN\Account‘颁发令牌

Question

我在Windows Server 2012和SAML 2.0中使用ADFS来实现MVC应用程序的单点登录。我开始得到这个错误，我找不到解决的方法。我做错了什么？

The Federation Service could not authorize token issuance for caller 'xxx\xxxx
'. The caller is not authorized to request a token for the relying party 'https://example.com/SampleMvcApplication/AuthServices'. Please see event 501 with the same instance id for caller identity. 

Additional Data 
Instance id: xyz 
Relying party: https://example.com/SampleMvcApplication/AuthServices 
Exception details: 
Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity System.Security.Claims.ClaimsIdentity for relying party trust https://example.com/SampleMvcApplication/AuthServices.
   at System.IdentityModel.AsyncResult.End(IAsyncResult result)
   at System.IdentityModel.TypedAsyncResult`1.End(IAsyncResult result)
   at System.IdentityModel.SecurityTokenService.EndIssue(IAsyncResult result)
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage) 
User Action 
Use the AD FS Management snap-in to ensure that the caller is authorized to request a token for the relying party.

Answer 1

在此服务提供商(SP)的信任方信任(RPT)中，查看“颁发授权规则”选项卡。您至少需要一个规则才能发出值为true的声明类型，以及没有发出值为true的声明类型的声明，尽管从技术上讲，我认为这两个规则都不需要任何值。如果允许所有用户进入SP的前门，则可以使用名为Permit all Users的添加规则下的规则模板。

Answer 2

您需要允许该用户访问在ADFS中配置的依赖方。

ADFS管理->信任方信任->右键单击您的信任方->编辑声明规则->颁发授权规则-> Add Rule ->允许所有用户访问。