We have an ADFS trust for Box login and we have created a Issuance Authorization Rule, user will be permitted to provide claims if only user is present in one security group.But we are facing issue with this approach since the group modifications are not reflecting even though the AD is replicating perfectly fine. For example if we remove a user form Box-allowed-group, user is still not able to access BOX for next 1 to 2 hrs. Whenever user is trying to access within this time range we are getting Event ID 325.
Is this is because of any inbuilt cache mechanism for Issuance Authorization Rule?
Is there any way to fix this issue?
Event ID 325:-The Federation Service could not authorize token issuance for caller 'DOMAIN\XXXX'. The caller is not authorized to request a token for the relying party 'box.net'. Please see event 501 with the same instance id for caller identity.