SAML2 HTTP-POST binding URL too long? 400 Bad Request
39 views
Skip to first unread message
Michael Daley
Apr 2, 2020, 11:43:48 AM4/2/20
to CAS Community
Hi,
A vendor (gartner) performing an sp-initiated SSO to our HTTP-POST binding in unable to complete the authentication webflow. The url that CAS send's the user to on the login page is over 3900 characters long, and appears to cause a browser error. We get 400 - Bad Request when clicking on "sign in". I've used the saml-sp-integration to configure this.
cas.samlSp.gartner.name=Gartner
cas.samlSp.gartner.metadata=/etc/cas/services/sp-metadata/gartner.xml
cas.samlSp.gartner.description=Gartner Integration
cas.samlSp.gartner.nameIdAttribute=email
cas.samlSp.gartner.attributes=givenName,sn,email
cas.samlSp.gartner.entityIds=http://www.gartner.com
cas.samlSp.gartner.signResponses=true
cas.samlSp.gartner.signAssertions=true
There are no errors in the cas log.
Running CAS 6.1.5. Also tested against 6.2.0-RC3
Attaching the only logs i could find that could be relevent. I've stripped out some of the base64 encoded SAMLRequest.
DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - <Created service url [https://idp_hostname/cas/idp/profile/SAML2/Callback?entityId=http%3A%2F%2Fwww.gartner.com&SAMLRequest=PD94bWwgdmVyc2lv...]>
DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - <Redirecting SAML authN request to [https://idp_hostname/cas/login?service=https%3A%2F%2Fidp_hostname%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3FentityId%3Dhttp%253A%252F%252Fwww.gartner.com%26SAMLRequest%3DPD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbHA6QXV0aG5SZXF1ZXN0IHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwczovL3N0c3Rlc3QuY2NyaS5lZHUvY2FzL2lkcC9wcm9maWxlL1NBTUwyL1BPU1QvU1NPIiBJRD0iSGhFMTZsNldLcWxyRjVmcG5ReV9IODdXSzBRIiBJc3N1ZUluc3RhbnQ9IjIwMjAtMDQtMDJUMTI6Mzg6MjYuMjQxWiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5h{ removed part of the request param } GF5MkdVQWE5UG5mbmw4ClJhb0IwTjZLaE9mdTBqTTJ0djJoT2VaVVNqNTA0blo2dmJaOXQ3MU5EdGJiNkl2VnZleEgzN0lGVGF3Wk1Cd2hsc3VFWm5SZlFDUGkKbks5dVBWL1pNdFpGTGtYb1l1U3FjV21xTFlrZm1KZTVVQT09CjwvZHM6WDUwOUNlcnRpZmljYXRlPgo8L2RzOlg1MDlEYXRhPgo8L2RzOktleUluZm8%252BCjwvZHM6U2lnbmF0dXJlPjxzYW1scDpOYW1lSURQb2xpY3kgQWxsb3dDcmVhdGU9InRydWUiLz48L3NhbWxwOkF1dGhuUmVxdWVzdD4%253D%26RelayState%3DOBr0GYRPutE46ryaLYWwapTklrOUUx]>
DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing service in context scope: DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - <Created service url [https://idp_hostname/cas/idp/profile/SAML2/Callback?entityId=http%3A%2F%2Fwww.gartner.com&SAMLRequest=PD94bWwgdmVyc2lv...]>
DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - <Redirecting SAML authN request to [https://idp_hostname/cas/login?service=https%3A%2F%2Fidp_hostname%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3FentityId%3Dhttp%253A%252F%252Fwww.gartner.com%26SAMLRequest%3DPD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbHA6QXV0aG5SZXF1ZXN0IHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwczovL3N0c3Rlc3{ removed part of the request param }m5SZlFDUGkKbks5dVBWL1pNdFpGTGtYb1l1U3FjV21xTFlrZm1KZTVVQT09CjwvZHM6WDUwOUNlcnRpZmljYXRlPgo8L2RzOlg1MDlEYXRhPgo8L2RzOktleUluZm8%252BCjwvZHM6U2lnbmF0dXJlPjxzYW1scDpOYW1lSURQb2xpY3kgQWxsb3dDcmVhdGU9InRydWUiLz48L3NhbWxwOkF1dGhuUmVxdWVzdD4%253D%26RelayState%3DOBr0GYRPutE46ryaLYWwapTklrOUUx]>
DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing service in context scope:
Thanks for any help.
Michael J Barsic
Apr 2, 2020, 12:24:18 PM4/2/20
to cas-...@apereo.org
Are you behind a proxy server? I've had a similar issue due to our Nginx proxy blocking the request.
Thanks,
Mike
From: "Michael Daley" <mjda...@ccri.edu>
To: "CAS Community" <cas-...@apereo.org>
Sent: Thursday, April 2, 2020 11:43:47 AM
Subject: [cas-user] SAML2 HTTP-POST binding URL too long? 400 Bad Request
To: "CAS Community" <cas-...@apereo.org>
Sent: Thursday, April 2, 2020 11:43:47 AM
Subject: [cas-user] SAML2 HTTP-POST binding URL too long? 400 Bad Request
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/65fca71a-4f64-44f8-a2c1-f19b44b0c241%40apereo.org.
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/65fca71a-4f64-44f8-a2c1-f19b44b0c241%40apereo.org.
Daley, Michael
Apr 2, 2020, 12:34:41 PM4/2/20
to cas-...@apereo.org
Yes. We are behind an haproxy. I’ll take a look at that. Thank you!
Sent from my iPhone.
On Apr 2, 2020, at 12:24 PM, Michael J Barsic <mba...@scad.edu> wrote:
CAUTION: This email was generated from outside of CCRI. Please do not click on links or attachments unless you have verified legitimacy of this email.
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/wtbYzvSeaRE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/443768275.36721916.1585844646462.JavaMail.zimbra%40scad.edu.
Michael Daley
Apr 2, 2020, 1:27:08 PM4/2/20
to CAS Community
Mike,
After increasing the http buffer size, this integration is now working. Thank you for the pointer to the proxy.
adding the following to haproxy.cfg global section worked for me in this case.
tune.bufsize 65535
tune.maxrewrite 16384
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/65fca71a-4f64-44f8-a2c1-f19b44b0c241%40apereo.org.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/wtbYzvSeaRE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+unsubscribe@apereo.org.
Michael J Barsic
Apr 2, 2020, 2:21:24 PM4/2/20
to cas-user
I'm glad that helped. It took us some time to figure out it wasn't a CAS issue when we first came across it.
From: "Michael Daley" <mjda...@ccri.edu>
To: "cas-user" <cas-...@apereo.org>
Sent: Thursday, April 2, 2020 1:27:08 PM
Subject: Re: [External]:Re: [cas-user] SAML2 HTTP-POST binding URL too long? 400 Bad Request
To: "cas-user" <cas-...@apereo.org>
Sent: Thursday, April 2, 2020 1:27:08 PM
Subject: Re: [External]:Re: [cas-user] SAML2 HTTP-POST binding URL too long? 400 Bad Request
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/65fca71a-4f64-44f8-a2c1-f19b44b0c241%40apereo.org.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/wtbYzvSeaRE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/443768275.36721916.1585844646462.JavaMail.zimbra%40scad.edu.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9a4bfe6f-520e-42c2-9a60-40b0516f5eea%40apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9a4bfe6f-520e-42c2-9a60-40b0516f5eea%40apereo.org.
Reply all
Reply to author
Forward
0 new messages