SP Initiated realm giving 404 error

    Applies to:
  • SecureAuth Identity Platform
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • SecureAuth IdP Version affected: All
    When trying to use SP initiated by Redirect, the SecureAuth realm gives a 404 error. 

    The SP is sending massive query strings which is exceeding the limit

    In the IIS log, you should see the full error code is 404 15

    What the sub code of 15 means is "The Request Filtering module rejected a request with a too long query string." Eg, The SP is sending such a large AuthN request and other parameters in the query string that it exceeds the limits by some margin and causes a 404 to be seen.



    To fix this issue, use Configuration Editor to increase the maxQueryString size and the maxURL size

    We've found various SPs, including Azure have been sending QueryStrings over the normal limits.

    1. Open IIS
    2. Navigate to the Default Web Site
    3. In the Features View, click on Configuration Editor
    4. In Configuration Editor, Change the Section to system.webServer/security/requestFiltering


    5. Increase the maxQueryString and maxURL (See above screenshot for example limits)
    6. Apply the changes
    7. Repeat the change on any other IdPs

    Special Considerations:

    It's best practice to keep the MaxQueryString and MaxURL to as small a value as possible to avoid injection attacks so if you can get the App Vendor to reduce the size of the query, that's a better approach.

    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful



    Please sign in to leave a comment.