Access control in ADFS 3.0

Hello,

I setup a testing environment for building federation services between ADFS 3.0 and simpleSAMLphp. In ADFS 3.0, I try to deny user access simpleSAMLphp application base on email address. Here is the claim rule I set in ADFS  issuance authorization rule:

#1

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);

#2

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", Value =~ "^(?i)testing@aabb\.com$"]
 => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

#3 Permit All Users

 => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");

It work, the user can not reach the application. But It also display an error message (I expect a page which telling the user they have no permission or remain in the ADFS login page): 

Exception during login:
sspmod_saml_Error: Responder/RequestDenied
Backtrace:
3 /var/simplesamlphp/modules/saml/lib/Message.php:385 (sspmod_saml_Message::getResponseError)
2 /var/simplesamlphp/modules/saml/lib/Message.php:492 (sspmod_saml_Message::processResponse)
1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:96 (require)
0 /var/simplesamlphp/www/module.php:134 (N/A)
And In ADFS log, it has this error:
Event ID 325:
The Federation Service could not authorize token issuance for caller 'xxxxxxxx
'. The caller is not authorized to request a token for the relying party 'https://xxxxxxxxx/simplesaml/module.php/saml/sp/metadata.php/default-sp'. See event 501 with the same Instance ID for caller identity. 

Additional Data 
Instance ID: f253dded-604a-4b8a-8247-bbb4dbf861c5 
Relying party: https://xxxxxxxxx/simplesaml/module.php/saml/sp/metadata.php/default-sp 
Exception details: 
Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity xxxxxxxx for relying party trust https://xxxxxxxx/simplesaml/module.php/saml/sp/metadata.php/default-sp.
   at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
   at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
   at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.EndIssue(IAsyncResult result)
   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet) 
User Action 
Use the AD FS Management snap-in to ensure that the caller is authorized to request a token for the relying party.

I am not sure this problem is belong to ADFS or simpleSAMLphp. Is there something wrong with my configuration?