We are using ADFS 2.0 and have 6+ trust with different claim aware application in house and in cloud. Recently we have implemented SSO with SAP Netweaver 7.0.3. The SSO works fine. Now I am try to implement a group restriction that only members of this group can access the application. However during the Sign on process via NWBC client 4.0 it just hangs on the Login Screen and nothing happens. I do get an event ID in ADFS as:
The Federation Service could not authorize token issuance for caller 'XXX\XXXXXX'. The caller is not authorized to request a token for the relying party 'SG1'. Please see event 501 with the same instance id for caller identity.
Additional Data
Instance id: e42f1682-e616-4e71-adf8-4ba9b992aa69
Relying party: SG1
Exception details:
Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity XXX\XXXXX for relying party trust SG1.
at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)
User Action
Use the AD FS 2.0 Management snap-in to ensure that the caller is authorized to request a token for the relying party.
We expect that if user is verified as a non authorized user he should be redirected to the login screen.
Work Done:
Refer to attached document
Any help is highly appreciated.
regards
AB