Some client connections through ThreatPulse receive SAML error: HTTP 400 Bad Request
When Auth Connector (BCCA) is used as the Identity Provider (IDP) for SAML and attempts to authenticate, some users receive the HTTP 400 Bad Request response (the size of the request headers is too long).
Web Security Service using SAML Authentication
HTTP 400 Bad Request
Checking the user's group membership may indicate a large number of groups and that groups have other groups nested inside them. A large number of groups increases the size of the Kerberos blob in the request.
From a packet capture that was taken on the client computer (using a tool such as HTTPwatch or Firebug), the Kerberos blob in the HTTP request is very large. The blob size is more than the default MaxTokenSize value on the IIS server (by default this value is 12,000 bytes or 12k) where the Auth Connector is running. This data comes under the Authorization header; in this request the total request is 17485 bytes, of which 16k was the Kerberos blob:
Increase the values only enough to allow the request. In the example screen shot, it was sufficient to raise both values to 20k to permit the request. The maximum is 64k, which is not recommended because of security considerations.
Imported Document ID: 000023267
Subscribing will provide email updates when this Article is updated. Login is required.