Hi,
Can you give a bit more background on your federation configuration? what does your federation URL look like (i.e. who's the Identity Provider, who's the service provider, etc), the one you are calling? Who responds to you that the user is not authorized - is it Identity provider or service provider? I believe a user may not be authorized to access a specific resource for many various reasons (and certainly depends on the service provider with which you configured federation): for example an assertion cannot be generated for whatever reason, the user is not authorized to access specific protected URIs, a SAML assertion is NOT valid (ex. the validity has passed), user identity could not be determined from a SAML assertion, a SAML assertion is not accepted by the service provider because the issuer is NOT trusted, etc, etc.
For federation to work, you also protect /affwebservices/redirectjsp/ is there a policy that also allows the members of this group to access federation services?
As Hubert said, it's best to check your SSO traces.
Regards,
Russi