Hi Duc,
It looks like this is a problem on IIS. According to the following KD,
there's a parameter to configure to fix it.
404 error with login.fcc with SP Initiated SAML 2.0
Customer receiving 404.15. This means "The Request Filtering module
rejected a request with a too long query string"
To fix this we need to increase the value for maxQueryString. which
has a default value of 2048 - customer's query string was 2,248
bytes.
To do this, edit IIS' Web.config:
<system.webServer> <security> <requestFiltering> <requestLimits
maxQueryString="4096"/> </requestFiltering> </security>
</system.webServer>
https://knowledge.broadcom.com/external/article?articleId=101617I hope this helps,
Best Regards,
Patrick
Original Message:
Sent: 03-24-2020 02:41 PM
From: Duc Tran
Subject: IWA auth scheme - browser redirect URL maximum characters exceeded for IIS (HTTP 404.15)
We implemented SAML SSO with a new SaaS partner which requires SAML SP initiated. The problem that we are running into is that our users would request a particular URL at the SP side which sometimes could be extremely long URL and the SAML SP would save that long URL as the RelayState and then create a SAMLRequest and POST this to our SiteMinder SAML IDP.
The HTTP POST to /siteminder/affwebservices/public/saml2sso would contain the SAMLRequest parameter along with RelayState in the URL which at this point would be close to 2000 characters long. SiteMinder then redirect the browser to the IWA auth scheme and will append a bunch of other URL parameters such as agentname and SMPORTALURL to the URL query string. At this point the entire URL is at least 2500 characters long which exceeds IIS limit of 2048 characters and hence we get an HTTP 404.15 error. We could increase the IIS maximum URL or query string limit, but Internet Explorer has a maximum URL character limit of 2083 characters.
Below is an example of one of the URL generated as from this request and is then get an HTTP 404.15 error from the IWA IIS web server:
/siteminderagent/ntlm/creds.ntc CHALLENGE=&SMAGENTNAME=-SM-XpJlD4uT6Qk3H4o4ir%2bwD2cS%2fBRACvWHxa2ozlUqezkQwjLsECRXEjmHo2sCUivi&TARGET=-SM-HTTP%3a%2f%2ffedsvcint%2eregence%2ecom%2faffwebservices%2fredirectjsp%2fiwa_regence_redirect%2ejsp%3fSAMLRequest%3dnVNNj9owEL3vr0C5hyRQxGJBJAr9QKIQAe2hl2pwJruWEjv1OIT993Vs6KKqS6X6kMjjmTfvPY-%2BnBFVZs3ljnuUOfzZI5qFn17kqJTF3OAsaLZkCEsQkVEjMcLaff1mzQT9mtVZGcVUGf5TdrwIi1EYo6ctWy1mw3XxYbz-%2BtNj-%2FGR0iGCI-%2FHxzHn4xiKfAJJPh7gZJIUkPARjEb4Lua-%2B9BtqsjizwMJewIgaXEkyII0Nx4M4jIdhPDnECYvHbDj67vOWVquQYFz1szE1sSgqMKcTF9L0NT6h5NjnqoqgKFo8WsonwZGiujmWgkedzAGR8nDZxYj3QuZCPt3Xf-%2FRJxD4fDlmYbfcHDzK-%2F-%2BrJQkpoK9d73-%2FLpbv3IkKLBfoSwVIW-%2B0MC-%2BOZBc-%2BCWxDsJcZdmRRO44eOnXfaRdgziKd-%2Fi9gVKGBHAxMo1u41wY121jJq2WmrE8vLt6tj0pXYN52JuknLiLysHCprJFUIxeFwDz4DTMvS9UuNILBWWB0g0Ev8s2v3S-%2BTjLmba-%2BulwbPpLVRVgxbU3TeegZsg9XbcZi1KO5s7LNKOpJ0G1G5CWOcBSiO437b2AlVLFwP-%2BCvAP7DefBme8y7PhzP5apfN7XZzq6I7s9OF6fPvI018-%3D%26RelayState%3dVFRTR2RbkftiNjn8CkuLiqmF5tC--MdEy2cLwBRzYt5uxo--grBKTYRivEu6qtTclfKHiiV3PmWxzdW9a55I5ULX8ytniaK5ud4rV9sgUyKhGH3R0lgOHaFU9hJozWtIILPIkZXrP_SS88f2nOfslFkgC5BCKM5OoQ9--bILwy--40wUfQik6qcCs--Six24m_VIjIdcHLPMgqLekxlqs53iPmZpzYN5iTch1gGs12CL8PoFisNNiFklvXehvhSgr0NS869sdmHa9U_RPApU_gWYcSgV3--a1EKc--ItlVM5Kj_APEkKe0JdXEYQCnKv89UpiZ4jJ0Q--VPRmpzkkqPOhXluTKczhnbZpD8AiQn_tGlF35exFfCL52cQy6PKl5_pwVWacZH--EEcH3Dz47m2ueX0X0hWlRJc0JLYpry1nKIoQUnRUWbFvogXujl8H5rev_CXx98REsrmJcXOf2fh7Yhj_7AyTibg--TOpJsyZ8z55gJi5VIBUp6kGYWNOHu8hHNAffAvsv2P_MetWPz3n2U1NZcCteecQW82bY--YlAs5c2AFguFHcueFUAiiDobzSc--hm3J4GlOoM3VZ_ZVR8ck7Siv011TFStX18BGsTiAoSjWPTsXmOjdxO97u4cJGwLln0_mUkiS2bUbH73--sWji86LH--rwSQikTLAJJGDhtNnaKdvH0ur8--yqMCh157mqcbFaNpRR_Yu8gt41vH1QlCVuQsk6OjNlLDWq8wMxi--Mr1HyASK3Js6fziDDZzNMdYhGQmL34iesllIGjNf9brDZjVVgheiYU--Tacc3E05SjOJnIWsMcEJ_emlJNQ8F78fyoUoYBZBi3L1Ow5cXoMrcqIS6EW6KvOZQjctbz8R6t1S9--KdM8pCSo4PziKGKEBuCgeRkOCS0LiQR--w_iRLe_FiHYN5VhbwO--eRjOMhb--IJhuWFwJiVpe94g2oMvL_L3Aq0oxGTdaAFJcNtXXBl--PpSTFEYeCsFecQd--uraMcLmg2zS_FMrzBQ--iF1I7OxU9yAOqHppXwP6--mmq0_4KMoMkz0qcxkzRab--9GfOYi4IB92YePw5qt--zl0HB8ceMG9Gt09%26SMPORTALURL%3dhttps-%3A-%2F-%2Ffedsvcint%2eregence%2ecom-%2Faffwebservices-%2Fpublic-%2Fsaml2sso%26SAMLTRANSACTIONID%3d116bde1a--28b7220b--e040e3da--5f65876a--281723f0--1d 20001 - 10.22.148.10 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/80.0.3987.132+Safari/537.36
We would very much appreciate any kind of resolution that folks could think of to resolve this issue.
Thanks in advance,
@Legacy User Hi Hubert, any advise you can provide for me on this issue?
Duc,