SecureAuth IdP Version affected: All
Description:
When trying to use SP initiated by Redirect, the SecureAuth realm gives a 404 error.
Cause:
The SP is sending massive query strings which is exceeding the limit
In the IIS log, you should see the full error code is 404 15
What the sub code of 15 means is "The Request Filtering module rejected a request with a too long query string." Eg, The SP is sending such a large AuthN request and other parameters in the query string that it exceeds the limits by some margin and causes a 404 to be seen.
Resolution:
To fix this issue, use Configuration Editor to increase the maxQueryString size and the maxURL size
We've found various SPs, including Azure have been sending QueryStrings over the normal limits.
1. Open IIS
2. Navigate to the Default Web Site
3. In the Features View, click on Configuration Editor
4. In Configuration Editor, Change the Section to system.webServer/security/requestFiltering
5. Increase the maxQueryString and maxURL (See above screenshot for example limits)
6. Apply the changes
7. Repeat the change on any other IdPs
Special Considerations:
It's best practice to keep the MaxQueryString and MaxURL to as small a value as possible to avoid injection attacks so if you can get the App Vendor to reduce the size of the query, that's a better approach.
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
Please sign in to leave a comment.