Symantec Access Management

​We implemented SAML SSO with a new SaaS partner which requires SAML SP initiated.  The problem that we are running into is that our users would request a particular URL at the SP side which sometimes could be extremely long URL and the SAML SP would save that long URL as the RelayState and then create a SAMLRequest and POST this to our SiteMinder SAML IDP.

The HTTP POST to /siteminder/affwebservices/public/saml2sso would contain the SAMLRequest parameter along with RelayState in the URL which at this point would be close to 2000 characters long.  SiteMinder then redirect the browser to the IWA auth scheme and will append a bunch of other URL parameters such as agentname and SMPORTALURL to the URL query string.  At this point the entire URL is at least 2500 characters long which exceeds IIS limit of 2048 characters and hence we get an HTTP 404.15 error.  We could increase the IIS maximum URL or query string limit, but Internet Explorer has a maximum URL character limit of 2083 characters.

Below is an example of one of the URL generated as from this request and is then get an HTTP 404.15 error from the IWA IIS web server:

/siteminderagent/ntlm/creds.ntc CHALLENGE=&SMAGENTNAME=-SM-XpJlD4uT6Qk3H4o4ir%2bwD2cS%2fBRACvWHxa2ozlUqezkQwjLsECRXEjmHo2sCUivi&TARGET=-SM-HTTP%3a%2f%2ffedsvcint%2eregence%2ecom%2faffwebservices%2fredirectjsp%2fiwa_regence_redirect%2ejsp%3fSAMLRequest%3dnVNNj9owEL3vr0C5hyRQxGJBJAr9QKIQAe2hl2pwJruWEjv1OIT993Vs6KKqS6X6kMjjmTfvPY-%2BnBFVZs3ljnuUOfzZI5qFn17kqJTF3OAsaLZkCEsQkVEjMcLaff1mzQT9mtVZGcVUGf5TdrwIi1EYo6ctWy1mw3XxYbz-%2BtNj-%2FGR0iGCI-%2FHxzHn4xiKfAJJPh7gZJIUkPARjEb4Lua-%2B9BtqsjizwMJewIgaXEkyII0Nx4M4jIdhPDnECYvHbDj67vOWVquQYFz1szE1sSgqMKcTF9L0NT6h5NjnqoqgKFo8WsonwZGiujmWgkedzAGR8nDZxYj3QuZCPt3Xf-%2FRJxD4fDlmYbfcHDzK-%2F-%2BrJQkpoK9d73-%2FLpbv3IkKLBfoSwVIW-%2B0MC-%2BOZBc-%2BCWxDsJcZdmRRO44eOnXfaRdgziKd-%2Fi9gVKGBHAxMo1u41wY121jJq2WmrE8vLt6tj0pXYN52JuknLiLysHCprJFUIxeFwDz4DTMvS9UuNILBWWB0g0Ev8s2v3S-%2BTjLmba-%2BulwbPpLVRVgxbU3TeegZsg9XbcZi1KO5s7LNKOpJ0G1G5CWOcBSiO437b2AlVLFwP-%2BCvAP7DefBme8y7PhzP5apfN7XZzq6I7s9OF6fPvI018-%3D%26RelayState%3dVFRTR2RbkftiNjn8CkuLiqmF5tC--MdEy2cLwBRzYt5uxo--grBKTYRivEu6qtTclfKHiiV3PmWxzdW9a55I5ULX8ytniaK5ud4rV9sgUyKhGH3R0lgOHaFU9hJozWtIILPIkZXrP_SS88f2nOfslFkgC5BCKM5OoQ9--bILwy--40wUfQik6qcCs--Six24m_VIjIdcHLPMgqLekxlqs53iPmZpzYN5iTch1gGs12CL8PoFisNNiFklvXehvhSgr0NS869sdmHa9U_RPApU_gWYcSgV3--a1EKc--ItlVM5Kj_APEkKe0JdXEYQCnKv89UpiZ4jJ0Q--VPRmpzkkqPOhXluTKczhnbZpD8AiQn_tGlF35exFfCL52cQy6PKl5_pwVWacZH--EEcH3Dz47m2ueX0X0hWlRJc0JLYpry1nKIoQUnRUWbFvogXujl8H5rev_CXx98REsrmJcXOf2fh7Yhj_7AyTibg--TOpJsyZ8z55gJi5VIBUp6kGYWNOHu8hHNAffAvsv2P_MetWPz3n2U1NZcCteecQW82bY--YlAs5c2AFguFHcueFUAiiDobzSc--hm3J4GlOoM3VZ_ZVR8ck7Siv011TFStX18BGsTiAoSjWPTsXmOjdxO97u4cJGwLln0_mUkiS2bUbH73--sWji86LH--rwSQikTLAJJGDhtNnaKdvH0ur8--yqMCh157mqcbFaNpRR_Yu8gt41vH1QlCVuQsk6OjNlLDWq8wMxi--Mr1HyASK3Js6fziDDZzNMdYhGQmL34iesllIGjNf9brDZjVVgheiYU--Tacc3E05SjOJnIWsMcEJ_emlJNQ8F78fyoUoYBZBi3L1Ow5cXoMrcqIS6EW6KvOZQjctbz8R6t1S9--KdM8pCSo4PziKGKEBuCgeRkOCS0LiQR--w_iRLe_FiHYN5VhbwO--eRjOMhb--IJhuWFwJiVpe94g2oMvL_L3Aq0oxGTdaAFJcNtXXBl--PpSTFEYeCsFecQd--uraMcLmg2zS_FMrzBQ--iF1I7OxU9yAOqHppXwP6--mmq0_4KMoMkz0qcxkzRab--9GfOYi4IB92YePw5qt--zl0HB8ceMG9Gt09%26SMPORTALURL%3dhttps-%3A-%2F-%2Ffedsvcint%2eregence%2ecom-%2Faffwebservices-%2Fpublic-%2Fsaml2sso%26SAMLTRANSACTIONID%3d116bde1a--28b7220b--e040e3da--5f65876a--281723f0--1d 20001 - 10.22.148.10 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/80.0.3987.132+Safari/537.36


We would very much appreciate any kind of resolution that folks could think of to resolve this issue. 

Thanks in advance,
@Legacy User Hi Hubert, any advise you can provide for me on this issue?
Duc,​​​

Hi Duc,

It looks like this is a problem on IIS. According to the following KD,
there's a parameter to configure to fix it.

404 error with login.fcc with SP Initiated SAML 2.0

Customer receiving 404.15. This means "The Request Filtering module
rejected a request with a too long query string"

To fix this we need to increase the value for maxQueryString. which
has a default value of 2048 - customer's query string was 2,248
bytes.

To do this, edit IIS' Web.config:

<system.webServer> <security> <requestFiltering> <requestLimits
maxQueryString="4096"/> </requestFiltering> </security>
</system.webServer>

https://knowledge.broadcom.com/external/article?articleId=101617

I hope this helps,

Best Regards,
Patrick
Original Message:
Sent: 03-24-2020 02:41 PM
From: Duc Tran
Subject: IWA auth scheme - browser redirect URL maximum characters exceeded for IIS (HTTP 404.15)

​We implemented SAML SSO with a new SaaS partner which requires SAML SP initiated.  The problem that we are running into is that our users would request a particular URL at the SP side which sometimes could be extremely long URL and the SAML SP would save that long URL as the RelayState and then create a SAMLRequest and POST this to our SiteMinder SAML IDP.

The HTTP POST to /siteminder/affwebservices/public/saml2sso would contain the SAMLRequest parameter along with RelayState in the URL which at this point would be close to 2000 characters long.  SiteMinder then redirect the browser to the IWA auth scheme and will append a bunch of other URL parameters such as agentname and SMPORTALURL to the URL query string.  At this point the entire URL is at least 2500 characters long which exceeds IIS limit of 2048 characters and hence we get an HTTP 404.15 error.  We could increase the IIS maximum URL or query string limit, but Internet Explorer has a maximum URL character limit of 2083 characters.

Below is an example of one of the URL generated as from this request and is then get an HTTP 404.15 error from the IWA IIS web server:

/siteminderagent/ntlm/creds.ntc CHALLENGE=&SMAGENTNAME=-SM-XpJlD4uT6Qk3H4o4ir%2bwD2cS%2fBRACvWHxa2ozlUqezkQwjLsECRXEjmHo2sCUivi&TARGET=-SM-HTTP%3a%2f%2ffedsvcint%2eregence%2ecom%2faffwebservices%2fredirectjsp%2fiwa_regence_redirect%2ejsp%3fSAMLRequest%3dnVNNj9owEL3vr0C5hyRQxGJBJAr9QKIQAe2hl2pwJruWEjv1OIT993Vs6KKqS6X6kMjjmTfvPY-%2BnBFVZs3ljnuUOfzZI5qFn17kqJTF3OAsaLZkCEsQkVEjMcLaff1mzQT9mtVZGcVUGf5TdrwIi1EYo6ctWy1mw3XxYbz-%2BtNj-%2FGR0iGCI-%2FHxzHn4xiKfAJJPh7gZJIUkPARjEb4Lua-%2B9BtqsjizwMJewIgaXEkyII0Nx4M4jIdhPDnECYvHbDj67vOWVquQYFz1szE1sSgqMKcTF9L0NT6h5NjnqoqgKFo8WsonwZGiujmWgkedzAGR8nDZxYj3QuZCPt3Xf-%2FRJxD4fDlmYbfcHDzK-%2F-%2BrJQkpoK9d73-%2FLpbv3IkKLBfoSwVIW-%2B0MC-%2BOZBc-%2BCWxDsJcZdmRRO44eOnXfaRdgziKd-%2Fi9gVKGBHAxMo1u41wY121jJq2WmrE8vLt6tj0pXYN52JuknLiLysHCprJFUIxeFwDz4DTMvS9UuNILBWWB0g0Ev8s2v3S-%2BTjLmba-%2BulwbPpLVRVgxbU3TeegZsg9XbcZi1KO5s7LNKOpJ0G1G5CWOcBSiO437b2AlVLFwP-%2BCvAP7DefBme8y7PhzP5apfN7XZzq6I7s9OF6fPvI018-%3D%26RelayState%3dVFRTR2RbkftiNjn8CkuLiqmF5tC--MdEy2cLwBRzYt5uxo--grBKTYRivEu6qtTclfKHiiV3PmWxzdW9a55I5ULX8ytniaK5ud4rV9sgUyKhGH3R0lgOHaFU9hJozWtIILPIkZXrP_SS88f2nOfslFkgC5BCKM5OoQ9--bILwy--40wUfQik6qcCs--Six24m_VIjIdcHLPMgqLekxlqs53iPmZpzYN5iTch1gGs12CL8PoFisNNiFklvXehvhSgr0NS869sdmHa9U_RPApU_gWYcSgV3--a1EKc--ItlVM5Kj_APEkKe0JdXEYQCnKv89UpiZ4jJ0Q--VPRmpzkkqPOhXluTKczhnbZpD8AiQn_tGlF35exFfCL52cQy6PKl5_pwVWacZH--EEcH3Dz47m2ueX0X0hWlRJc0JLYpry1nKIoQUnRUWbFvogXujl8H5rev_CXx98REsrmJcXOf2fh7Yhj_7AyTibg--TOpJsyZ8z55gJi5VIBUp6kGYWNOHu8hHNAffAvsv2P_MetWPz3n2U1NZcCteecQW82bY--YlAs5c2AFguFHcueFUAiiDobzSc--hm3J4GlOoM3VZ_ZVR8ck7Siv011TFStX18BGsTiAoSjWPTsXmOjdxO97u4cJGwLln0_mUkiS2bUbH73--sWji86LH--rwSQikTLAJJGDhtNnaKdvH0ur8--yqMCh157mqcbFaNpRR_Yu8gt41vH1QlCVuQsk6OjNlLDWq8wMxi--Mr1HyASK3Js6fziDDZzNMdYhGQmL34iesllIGjNf9brDZjVVgheiYU--Tacc3E05SjOJnIWsMcEJ_emlJNQ8F78fyoUoYBZBi3L1Ow5cXoMrcqIS6EW6KvOZQjctbz8R6t1S9--KdM8pCSo4PziKGKEBuCgeRkOCS0LiQR--w_iRLe_FiHYN5VhbwO--eRjOMhb--IJhuWFwJiVpe94g2oMvL_L3Aq0oxGTdaAFJcNtXXBl--PpSTFEYeCsFecQd--uraMcLmg2zS_FMrzBQ--iF1I7OxU9yAOqHppXwP6--mmq0_4KMoMkz0qcxkzRab--9GfOYi4IB92YePw5qt--zl0HB8ceMG9Gt09%26SMPORTALURL%3dhttps-%3A-%2F-%2Ffedsvcint%2eregence%2ecom-%2Faffwebservices-%2Fpublic-%2Fsaml2sso%26SAMLTRANSACTIONID%3d116bde1a--28b7220b--e040e3da--5f65876a--281723f0--1d 20001 - 10.22.148.10 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/80.0.3987.132+Safari/537.36


We would very much appreciate any kind of resolution that folks could think of to resolve this issue.

Thanks in advance,
@Legacy User Hi Hubert, any advise you can provide for me on this issue?
Duc,​​​

Hi Patrick,

Thank you for your response, I very much appreciated it.  I did not come across the Broadcom knowledge based article which referenced the IIS query string parameter configuration change, but I did find out about it through google searches.  I did not try this because on Microsoft website, it also mentioned that Microsoft Internet Explorer has a maximum URL query string length of 2083 which is only 35 characters more than the IIS default 2048.

But since Broadcom suggest modifying the web.config and increase the IIS query string parameter length then I will give it a try and see how this will behave with Internet explorer when the length is more than 2083.

Thanks again!​
Original Message:
Sent: 03-31-2020 09:41 AM
From: Patrick Dussault
Subject: IWA auth scheme - browser redirect URL maximum characters exceeded for IIS (HTTP 404.15)

Hi Duc,

It looks like this is a problem on IIS. According to the following KD,
there's a parameter to configure to fix it.

404 error with login.fcc with SP Initiated SAML 2.0

Customer receiving 404.15. This means "The Request Filtering module
rejected a request with a too long query string"

To fix this we need to increase the value for maxQueryString. which
has a default value of 2048 - customer's query string was 2,248
bytes.

To do this, edit IIS' Web.config:

<system.webServer> <security> <requestFiltering> <requestLimits
maxQueryString="4096"/> </requestFiltering> </security>
</system.webServer>

https://knowledge.broadcom.com/external/article?articleId=101617

I hope this helps,

Best Regards,
Patrick
Original Message:
Sent: 03-24-2020 02:41 PM
From: Duc Tran
Subject: IWA auth scheme - browser redirect URL maximum characters exceeded for IIS (HTTP 404.15)

​We implemented SAML SSO with a new SaaS partner which requires SAML SP initiated.  The problem that we are running into is that our users would request a particular URL at the SP side which sometimes could be extremely long URL and the SAML SP would save that long URL as the RelayState and then create a SAMLRequest and POST this to our SiteMinder SAML IDP.

The HTTP POST to /siteminder/affwebservices/public/saml2sso would contain the SAMLRequest parameter along with RelayState in the URL which at this point would be close to 2000 characters long.  SiteMinder then redirect the browser to the IWA auth scheme and will append a bunch of other URL parameters such as agentname and SMPORTALURL to the URL query string.  At this point the entire URL is at least 2500 characters long which exceeds IIS limit of 2048 characters and hence we get an HTTP 404.15 error.  We could increase the IIS maximum URL or query string limit, but Internet Explorer has a maximum URL character limit of 2083 characters.

Below is an example of one of the URL generated as from this request and is then get an HTTP 404.15 error from the IWA IIS web server:

/siteminderagent/ntlm/creds.ntc CHALLENGE=&SMAGENTNAME=-SM-XpJlD4uT6Qk3H4o4ir%2bwD2cS%2fBRACvWHxa2ozlUqezkQwjLsECRXEjmHo2sCUivi&TARGET=-SM-HTTP%3a%2f%2ffedsvcint%2eregence%2ecom%2faffwebservices%2fredirectjsp%2fiwa_regence_redirect%2ejsp%3fSAMLRequest%3dnVNNj9owEL3vr0C5hyRQxGJBJAr9QKIQAe2hl2pwJruWEjv1OIT993Vs6KKqS6X6kMjjmTfvPY-%2BnBFVZs3ljnuUOfzZI5qFn17kqJTF3OAsaLZkCEsQkVEjMcLaff1mzQT9mtVZGcVUGf5TdrwIi1EYo6ctWy1mw3XxYbz-%2BtNj-%2FGR0iGCI-%2FHxzHn4xiKfAJJPh7gZJIUkPARjEb4Lua-%2B9BtqsjizwMJewIgaXEkyII0Nx4M4jIdhPDnECYvHbDj67vOWVquQYFz1szE1sSgqMKcTF9L0NT6h5NjnqoqgKFo8WsonwZGiujmWgkedzAGR8nDZxYj3QuZCPt3Xf-%2FRJxD4fDlmYbfcHDzK-%2F-%2BrJQkpoK9d73-%2FLpbv3IkKLBfoSwVIW-%2B0MC-%2BOZBc-%2BCWxDsJcZdmRRO44eOnXfaRdgziKd-%2Fi9gVKGBHAxMo1u41wY121jJq2WmrE8vLt6tj0pXYN52JuknLiLysHCprJFUIxeFwDz4DTMvS9UuNILBWWB0g0Ev8s2v3S-%2BTjLmba-%2BulwbPpLVRVgxbU3TeegZsg9XbcZi1KO5s7LNKOpJ0G1G5CWOcBSiO437b2AlVLFwP-%2BCvAP7DefBme8y7PhzP5apfN7XZzq6I7s9OF6fPvI018-%3D%26RelayState%3dVFRTR2RbkftiNjn8CkuLiqmF5tC--MdEy2cLwBRzYt5uxo--grBKTYRivEu6qtTclfKHiiV3PmWxzdW9a55I5ULX8ytniaK5ud4rV9sgUyKhGH3R0lgOHaFU9hJozWtIILPIkZXrP_SS88f2nOfslFkgC5BCKM5OoQ9--bILwy--40wUfQik6qcCs--Six24m_VIjIdcHLPMgqLekxlqs53iPmZpzYN5iTch1gGs12CL8PoFisNNiFklvXehvhSgr0NS869sdmHa9U_RPApU_gWYcSgV3--a1EKc--ItlVM5Kj_APEkKe0JdXEYQCnKv89UpiZ4jJ0Q--VPRmpzkkqPOhXluTKczhnbZpD8AiQn_tGlF35exFfCL52cQy6PKl5_pwVWacZH--EEcH3Dz47m2ueX0X0hWlRJc0JLYpry1nKIoQUnRUWbFvogXujl8H5rev_CXx98REsrmJcXOf2fh7Yhj_7AyTibg--TOpJsyZ8z55gJi5VIBUp6kGYWNOHu8hHNAffAvsv2P_MetWPz3n2U1NZcCteecQW82bY--YlAs5c2AFguFHcueFUAiiDobzSc--hm3J4GlOoM3VZ_ZVR8ck7Siv011TFStX18BGsTiAoSjWPTsXmOjdxO97u4cJGwLln0_mUkiS2bUbH73--sWji86LH--rwSQikTLAJJGDhtNnaKdvH0ur8--yqMCh157mqcbFaNpRR_Yu8gt41vH1QlCVuQsk6OjNlLDWq8wMxi--Mr1HyASK3Js6fziDDZzNMdYhGQmL34iesllIGjNf9brDZjVVgheiYU--Tacc3E05SjOJnIWsMcEJ_emlJNQ8F78fyoUoYBZBi3L1Ow5cXoMrcqIS6EW6KvOZQjctbz8R6t1S9--KdM8pCSo4PziKGKEBuCgeRkOCS0LiQR--w_iRLe_FiHYN5VhbwO--eRjOMhb--IJhuWFwJiVpe94g2oMvL_L3Aq0oxGTdaAFJcNtXXBl--PpSTFEYeCsFecQd--uraMcLmg2zS_FMrzBQ--iF1I7OxU9yAOqHppXwP6--mmq0_4KMoMkz0qcxkzRab--9GfOYi4IB92YePw5qt--zl0HB8ceMG9Gt09%26SMPORTALURL%3dhttps-%3A-%2F-%2Ffedsvcint%2eregence%2ecom-%2Faffwebservices-%2Fpublic-%2Fsaml2sso%26SAMLTRANSACTIONID%3d116bde1a--28b7220b--e040e3da--5f65876a--281723f0--1d 20001 - 10.22.148.10 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/80.0.3987.132+Safari/537.36


We would very much appreciate any kind of resolution that folks could think of to resolve this issue.

Thanks in advance,
@Legacy User Hi Hubert, any advise you can provide for me on this issue?
Duc,​​​