SecureAuth IdP Version affected: All
When trying to use Salesforce1 App it gives a 404 error. Using a browser to go to the same address works fine.
A change in the App is causing massive query strings which is exceeding the limit
In the IIS log, you should see the full error code is 404 15
What the sub code of 15 means is "The Request Filtering module rejected a request with a too long query string." Eg, with the ginormous SAML that Salesforce1 App sends, it exceeds the Proxy/IIS limits by some margin and causes a 404 to be seen.
To fix this issue, use Configuration Editor to increase the maxQueryString size and the maxURL size
SalesForce has made a change that has pushed the QueryString over the normal limits.
1. Open IIS
2. Navigate to the Default Web Site
3. In the Features View, click on Configuration Editor
4. In Configuration Editor, Change the Section to system.webServer/security/requestFiltering
5. Increase the maxQueryString and maxURL (See above screenshot for example limits)
6. Apply the changes
7. Repeat the change on any other IdPs
It's best practice to keep the MaxQueryString and MaxURL to as small a value as possible to avoid injection attacks so if you can get the App Vendor to reduce the size of the query, that's a better approach.
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.