SSO Troubleshooting: Maximum Querystring Length Error
Learn how to troubleshoot this error.
Error
This error can arise in an identity provider's system in many different ways. Often you may not see a clear error message. Ways this error can manifest:
-
User can SSO successfully during IDP-initiated SSO, but gets an error in the identity provider site when attempting SP-initiated SSO
-
Often this error manifests as a 404 page not found error, even though the webpage in the URL does in fact exist, or you get a 400 error code
Explanation
Some systems impose a default maximum length on request querystrings. Often these are Microsoft settings and the limit is 2,048 characters. When Foundry sends a SAML Authorization Request (AuthnRequest) to your identity provider, the SAML AuthnRequest is encoded and put into a querystring parameter. The total length of that parameter is often 3,000 – 4,000 or more characters. The AuthnRequest can get large because Foundry digitally signs the AuthnRequest so that an identity provider can validate the request is actually coming from Foundry. Signing the request means the Foundry X509 certificate is included in the response, as well as additional XML tags and data associated with signing.
Resolution
To resolve this, you will need to increase the maximum querystring length in your system. If your system is running Microsoft.net, these links may be helpful:
- The length of the query string for this request exceeds the configured maxQueryStringLength value | Stack Overflow
- ASP.NET MVC, Url Routing: Maximum Path (URL) Length | Stack Overflow
If you use PortalGuard see: