Symantec Access Management

I have the latest 12.52 IIS Web Agent and 12.52 WAOP installed on a Windows 2012 R2 server. I am using IIS 8.5, Application Request Routing (ARR) 3, and Tomcat 7. I've configured federation as outlined in the documents for the Windows Web Agent and Tomcat. This is a bit of a unique setup, but this is what I am working with.

ARR is setup to rewrite the incomming traffic to the /affwebservices directory in Tomcat.  I get the proper response from /affwebservices/attributeretriever, but when I authenticate into my federated URL I get a blank page and a 400 error. The URL of the blank page is {host_name}//affwebservices/redirectjsp/redirect.jsp?SAMLRequest=xyz...

We are not using the session store and shouldn't need it. I tried enabling it and it had no effect.

Has anyone seen this behavior before? Has anyone tried this configuration (or similar) before? 

Thanks!

Eric

I found I wasn't digging deep enough. I needed to bump up the maxHttpHeaderSize in the Tomcat server.xml file. That resolved the issue.

See you got it solved, but  I use a similar setup as well with Web Agent + WAOP on IIS 8.5 -- AJP Connector --> Tomcat. ARR isn't used to rewrite since it's on the same server, just uses the isapi_redirect.dll to route traffic into Tomcat.

So far it's been just peachy using that connector though. Using both SAML 2.0 and OAuth. 

We did have to adjust some size limits though as well to get everything going.

I am also seeing this issue but I believe my tomcat 7 is using the HTTP connector instead of the AJP connector since its just an OOTB install. I also can get the assertion retriever to work but not an actual SSO service URL as these will just 404.