diff --git a/bwreg-service/src/main/java/edu/kit/scc/webreg/service/saml/SamlIdpServiceImpl.java b/bwreg-service/src/main/java/edu/kit/scc/webreg/service/saml/SamlIdpServiceImpl.java
index fa695395a8c77d4f4720402ca9bea515549464f6..59299521fa3cf49fef108d9d0c12f3efddf8ca84 100644
--- a/bwreg-service/src/main/java/edu/kit/scc/webreg/service/saml/SamlIdpServiceImpl.java
+++ b/bwreg-service/src/main/java/edu/kit/scc/webreg/service/saml/SamlIdpServiceImpl.java
@@ -266,9 +266,12 @@ public class SamlIdpServiceImpl implements SamlIdpService {
 					} else {
 						/*
 						 * There is no service set for this sp idp connection
-						 * TODO Check for authorization 
 						 */
 						filteredServiceSamlSpEntityList.add(serviceSamlSpEntity);
+						List<String> unauthorizedList = knowledgeSessionService.checkScriptAccess(serviceSamlSpEntity.getScript(), identity);
+						if (unauthorizedList.size() > 0) {
+							return "/user/saml-access-denied.xhtml?soidc=" + serviceSamlSpEntity.getId();
+						}						
 					}
 				} else {
 					logger.debug("serviceSamlSpEntity no match: {}", serviceSamlSpEntity.getId());
@@ -605,9 +608,6 @@ public class SamlIdpServiceImpl implements SamlIdpService {
 	}
 
 	private List<Object> checkRules(UserEntity user, ServiceEntity service, RegistryEntity registry) {
-		/*
-		 * TODO Also check script access rule? 
-		 */
 		return knowledgeSessionService.checkServiceAccessRule(user, service, registry, "user-self", false);
 	}
 
diff --git a/bwreg-webapp/src/main/java/edu/kit/scc/webreg/bean/SamlAccessDeniedBean.java b/bwreg-webapp/src/main/java/edu/kit/scc/webreg/bean/SamlAccessDeniedBean.java
new file mode 100644
index 0000000000000000000000000000000000000000..d474d44de6e1cc39969ce6226c969ae4aa9712b1
--- /dev/null
+++ b/bwreg-webapp/src/main/java/edu/kit/scc/webreg/bean/SamlAccessDeniedBean.java
@@ -0,0 +1,95 @@
+/*******************************************************************************
+ * Copyright (c) 2014 Michael Simon.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the GNU Public License v3.0
+ * which accompanies this distribution, and is available at
+ * http://www.gnu.org/licenses/gpl.html
+ * 
+ * Contributors:
+ *     Michael Simon - initial
+ ******************************************************************************/
+package edu.kit.scc.webreg.bean;
+
+import java.io.Serializable;
+import java.util.List;
+
+import edu.kit.scc.webreg.entity.ServiceSamlSpEntity;
+import edu.kit.scc.webreg.entity.identity.IdentityEntity;
+import edu.kit.scc.webreg.service.ServiceSamlSpService;
+import edu.kit.scc.webreg.service.drools.KnowledgeSessionService;
+import edu.kit.scc.webreg.service.identity.IdentityService;
+import edu.kit.scc.webreg.session.SessionManager;
+import edu.kit.scc.webreg.util.FacesMessageGenerator;
+import jakarta.faces.event.ComponentSystemEvent;
+import jakarta.faces.view.ViewScoped;
+import jakarta.inject.Inject;
+import jakarta.inject.Named;
+
+@Named
+@ViewScoped
+public class SamlAccessDeniedBean implements Serializable {
+
+	private static final long serialVersionUID = 1L;
+
+	private IdentityEntity identity;
+	private ServiceSamlSpEntity serviceSamlSpEntity;
+
+	private Long id;
+
+	private boolean initialized = false;
+
+	private Boolean accessProblem = false;
+
+	@Inject
+	private FacesMessageGenerator messageGenerator;
+
+	@Inject
+	private SessionManager sessionManager;
+
+	@Inject
+	private IdentityService identityService;
+
+	@Inject
+	private KnowledgeSessionService knowledgeSessionService;
+
+	@Inject
+	private ServiceSamlSpService serviceSpSamlService;
+
+	public void preRenderView(ComponentSystemEvent ev) {
+		if (!initialized) {
+			serviceSamlSpEntity = serviceSpSamlService.fetch(getId());
+			identity = identityService.fetch(sessionManager.getIdentityId());
+
+			checkServiceAccess();
+		}
+	}
+
+	private void checkServiceAccess() {
+
+		if (serviceSamlSpEntity.getScript() != null) {
+			List<String> unauthorizedList = knowledgeSessionService.checkScriptAccess(serviceSamlSpEntity.getScript(),
+					identity);
+
+			for (String s : unauthorizedList) {
+				messageGenerator.addResolvedErrorMessage("reqs", "error", s, true);
+				accessProblem = true;
+			}
+		}
+	}
+
+	public Long getId() {
+		return id;
+	}
+
+	public void setId(Long id) {
+		this.id = id;
+	}
+
+	public Boolean getAccessProblem() {
+		return accessProblem;
+	}
+
+	public ServiceSamlSpEntity getServiceSamlSpEntity() {
+		return serviceSamlSpEntity;
+	}
+}
diff --git a/bwreg-webapp/src/main/webapp/user/saml-access-denied.xhtml b/bwreg-webapp/src/main/webapp/user/saml-access-denied.xhtml
new file mode 100644
index 0000000000000000000000000000000000000000..408e03df225fe70d2ba47ad215a22256007161e5
--- /dev/null
+++ b/bwreg-webapp/src/main/webapp/user/saml-access-denied.xhtml
@@ -0,0 +1,48 @@
+<?xml version='1.0' encoding='UTF-8' ?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml"
+	xmlns:f="jakarta.faces.core"
+	xmlns:h="jakarta.faces.html"
+	xmlns:ui="jakarta.faces.facelets"
+	xmlns:bw="http://www.scc.kit.edu/bwfacelets"
+	xmlns:p="http://primefaces.org/ui"
+	xmlns:of="http://omnifaces.org/functions">
+<head>
+<title></title>
+</head>
+<body>
+<f:view>
+	<f:metadata>
+		<f:viewParam name="soidc" value="#{samlAccessDeniedBean.id}"/>
+		<f:event type="jakarta.faces.event.PreRenderViewEvent"
+            listener="#{samlAccessDeniedBean.preRenderView}" />
+	</f:metadata>
+
+
+<ui:composition template="/template/default.xhtml">
+	<ui:param name="title" value="#{messages.title}"/>
+
+	<ui:define name="content">
+
+		<p:panel header="#{messages.access_check}: #{samlAccessDeniedBean.serviceSamlSpEntity.sp.displayName}" rendered="#{samlAccessDeniedBean.accessProblem}" 
+				styleClass="text full">
+			<div style="margin-top: 4px;">
+				<h:outputText value="#{messages.requirements_unsatisfied}" />
+			</div>
+			<p:messages id="messageBoxReqs" for="reqs" showDetail="true" />
+		</p:panel>	
+		<p:panel header="#{messages.access_check}: #{samlAccessDeniedBean.serviceSamlSpEntity.sp.displayName}" rendered="#{not samlAccessDeniedBean.accessProblem}"
+				styleClass="text full">
+			<div style="margin-top: 4px;">
+				<h:outputText value="#{messages.requirements_met}" />
+			</div>
+			<p:messages id="messageBoxReqsMet" for="reqs" showDetail="true" />
+		</p:panel>	
+		
+	</ui:define>
+</ui:composition>
+
+</f:view>
+</body>
+</html>