Skip to content
English
Contact Support
  • There are no suggestions because the search field is empty.

SSO Troubleshooting: Large SAML Request (Entra ID / Azure)

Troubleshoot SSO login failures caused by large SAML requests

Error

You may encounter SSO errors that do not clearly reference a query string limit but occur during login, especially with SP-initiated SSO.

These errors can appear in different ways, including:

  • A 400 Bad Request or 404 Page Not Found error
  • A failed or incomplete redirect during login
  • Successful IdP-initiated SSO, but failure with SP-initiated SSO

In some cases, there may be no visible error message at all.

Explanation

During SP-initiated SSO, the Foundry platform sends a SAML Authentication Request (AuthnRequest) to your identity provider. This request is encoded into a URL and passed through the browser.

If the request becomes too large, it may fail before it reaches the identity provider or while being processed.

SAML requests can become large due to configuration choices within your identity provider, including:

  •  A large number of user attributes (claims)
  • Attributes with long string values, which increase payload size
  • HTTP Redirect binding, which places the full request into the URL
  • Request signing, which adds additional data such as a certificate and signature

While each of these components is valid, together they can significantly increase the size of the SAML request and lead to login failures.

Resolution

If you suspect your SAML request may be too large, review your identity provider configuration and reduce the size of the request where possible.

1. Review and reduce claims

In your identity provider (such as Microsoft Entra ID), navigate to your enterprise application’s Single Sign-On settings and review the Attributes & Claims configuration.

  • Remove any unnecessary attributes
  • Limit the number of claims included in the SAML response
  • Ensure only required fields (such as name or email) are present

Many SSO integrations only require a small set of core attributes.

2. Minimize attribute values

If certain attributes must be included:

  • Ensure values are not unnecessarily long
  • Avoid passing large or complex strings when possible

Reducing value length can help decrease the overall request size.

3. Evaluate your SSO configuration

Consider whether all included attributes are required for authentication or user provisioning.

  • Remove optional or unused mappings
  • Confirm which attributes are actively used by your organization

4. Review request signing settings (advanced)

SAML request signing adds important security protections, but it also increases the size of the request.

  • Disabling request signing can reduce request size
  • However, this removes the ability for the identity provider to verify the origin of the request

Only consider this option if required, and review your organization’s security policies before making changes.

If these steps do not resolve the issue, contact your internal IT team or submit a request to Support for further assistance.