SSO Troubleshooting: 404 Page Not Found Error during SP-initiated SSO

Error

We are certain the SSO/ACS login pages are entered correctly, but when we attempt SP-initiated SSO, we get a 404 "page not found" error when Foundry sends the user to our IDP's login page. But when we initiate SSO from our identity provider, SSO works.

Explanation

A standard 404 “Page Not Found” error usually means the requested web page does not exist, such as when a link is broken. However, during service provider-initiated SSO, a 404 can also indicate other underlying issues.

Why This Happens

• Misleading Error: Some identity providers return a 404 when they encounter a backend issue instead of showing the real error. For example, certificate mismatches or configuration problems can trigger a 404 even though the page exists.
• Maximum Query String Length: Foundry’s SAML AuthnRequest includes a large query string containing a certificate and digital signature. On some servers, this can exceed the maximum allowed query string length, causing a 404.
  • Fix: Increase the maximum query string length limit on your server to allow SP-initiated SSO to work.
  • Why It Doesn’t Happen with IdP-Initiated SSO: In IdP-initiated flows, the request starts from your identity provider, so no large SAML message is sent from Foundry.

Other Possible Causes

• Certificate mismatch
• Identity provider rejecting the authentication request due to trust issues

How to Diagnose

If the error message isn’t clear, check your server’s event logs for details. These logs often reveal the root cause, whether it’s a configuration error, certificate issue, or query string limitation.

Resolution

Depends on the root cause as described in the Explanation section.