Symantec Access Management

 View Only
  • 1.  Federation 400 Error Windows/ARR/Tomcat

    Posted Apr 07, 2017 01:22 PM

    I have the latest 12.52 IIS Web Agent and 12.52 WAOP installed on a Windows 2012 R2 server. I am using IIS 8.5, Application Request Routing (ARR) 3, and Tomcat 7. I've configured federation as outlined in the documents for the Windows Web Agent and Tomcat. This is a bit of a unique setup, but this is what I am working with.


    ARR is setup to rewrite the incomming traffic to the /affwebservices directory in Tomcat.  I get the proper response from /affwebservices/attributeretriever, but when I authenticate into my federated URL I get a blank page and a 400 error. The URL of the blank page is {host_name}//affwebservices/redirectjsp/redirect.jsp?SAMLRequest=xyz...


    We are not using the session store and shouldn't need it. I tried enabling it and it had no effect.


    Has anyone seen this behavior before? Has anyone tried this configuration (or similar) before? 




  • 2.  Re: Federation 400 Error Windows/ARR/Tomcat
    Best Answer

    Posted Apr 07, 2017 02:02 PM
    I found I wasn't digging deep enough. I needed to bump up the maxHttpHeaderSize in the Tomcat server.xml file. That resolved the issue.

  • 3.  Re: Federation 400 Error Windows/ARR/Tomcat

    Posted Apr 07, 2017 02:23 PM

    See you got it solved, but  I use a similar setup as well with Web Agent + WAOP on IIS 8.5 -- AJP Connector --> Tomcat. ARR isn't used to rewrite since it's on the same server, just uses the isapi_redirect.dll to route traffic into Tomcat.


    So far it's been just peachy using that connector though. Using both SAML 2.0 and OAuth. 


    We did have to adjust some size limits though as well to get everything going.

  • 4.  Re: Federation 400 Error Windows/ARR/Tomcat

    Posted May 06, 2019 11:43 AM

    I am also seeing this issue but I believe my tomcat 7 is using the HTTP connector instead of the AJP connector since its just an OOTB install. I also can get the assertion retriever to work but not an actual SSO service URL as these will just 404.