SSO Troubleshooting: Maximum Querystring Length Error

Error

This error can show up in different ways depending on how your identity provider is set up. You might not see a clear error message.

Here are some common ways it can appear:

• The user can log in successfully using IdP-initiated SSO, but gets an error when trying to log in using SP-initiated SSO.
• The error may look like a 404 Page Not Found, even though the URL is correct and the page exists.
• Sometimes the error shows up as a 400 Bad Request.

Explanation

Some systems limit the maximum length of request query strings. In many cases—especially with Microsoft systems—the default limit is 2,048 characters.

When Foundry sends a SAML Authorization Request (AuthnRequest) to your identity provider, the request is encoded and placed into a query string parameter. This parameter can be very long—often between 3,000 and 4,000 characters or more.

The reason it gets so large is because Foundry digitally signs the AuthnRequest. This allows the identity provider to verify that the request is coming from Foundry. Signing the request adds extra data, including Foundry’s X.509 certificate and additional XML tags related to the signature.

Resolution

If you are receiving an error related to query string length—such as a 404 Not Found or maxQueryStringLength exceeded—it usually means the URL being passed during SSO is too long for your system to handle.

To resolve this, you will need to increase the maximum query string length in your system’s configuration.

If your system is running Microsoft .NET, these resources may help:

• The length of the query string for this request exceeds the configured maxQueryStringLength value – This Stack Overflow thread includes examples of how to update both the <httpRuntime> and <requestFiltering> sections in your web.config file. 
• ASP.NET MVC, Url Routing: Maximum Path (URL) Length – This thread discusses how ASP.NET MVC handles long URLs and how to configure maxUrlLength and maxQueryStringLength to avoid errors.

If you use PortalGuard, refer to this official support article:

• Resolving '404 Not Found' Errors During PortalGuard SSO (Max query string length exceeded) – This guide explains how to adjust PortalGuard settings to accommodate longer query strings during SSO. 

Make sure to:

1. Update both the <system.web> and <system.webServer> sections of your web.config file.
2. Restart IIS after making changes.
3. Test with a long query string to confirm the issue is resolved.