SSO Troubleshooting: 404 Page Not Found Error during SP-initiated SSO

Error

We are certain the SSO/ACS login pages are entered correctly, but when we attempt SP-initiated SSO, we get a 404 "page not found" error when Foundry sends the user to our IDP's login page. But when we initiate SSO from our identity provider, SSO works.

Explanation

Normally, a 404 "page not found" error happens when the web page file does not exist, such as with a broken webpage link. But a 404 error can also be caused by other random backend errors. You may need to inspect your server's event logs to find an explanation. We have seen examples where certificate mismatches or other configuration problems cause a 404 error; the IDP detects some problem and rather then outputting the real problem, it bombs out with an ambiguous 404. This kind of error can throw you off because normally a 404 error means "page not found" but in this case it is masking a different root problem.

In some cases, the real problem is the  Maximum Querystring Length Error Foundry's SAML AuthnRequest has a large querystring parameter value containing a certificate and digital signature and this can exceed the maximum querystring length value on some servers. If this is the case, the server returns a 404 error even though the webpage actually does exist. You may need to increase this limit to overcome this restriction and allow SP-initiated SSO to function. The reason this error might not occur during IDP-initiated SSO is because the SSO flow starts from your identity provider and there is no SAML Message sent from Foundry to your system.

Other possibilities are that there is a certificate mismatch problem, or some other reason that the identity provider does not "trust" the authentication request it received from Foundry.

If you are not able to see the error right away, you may need to check event logs in your environment to uncover the root cause.

Resolution

Depends on the root cause as described in the Explanation section.