Share via

SP initiated Single Logout with ADFS Help - request query string is too long

demian 1 Reputation point
2021-01-14T22:11:54.333+00:00

Hello,

I'm having an issue with SP initiated Single Logout (SLO) between my application and Azure AD (ADFS).

As per documentation For SLO, ADFS only supports the HTTP-Redirect binding.

When I initiated the logout process from my application, it creates the LogoutRequest (using pac4j), encodes it and attaches it as a SamlRequest to the end of the SLO logout URL as a parameter (example attached)

The issue is when it redirects using this URL, I get an error page (screenshot attached) from ADFS saying:

Sign in

Sorry, but we’re having trouble with signing you in.

AADSTS90015: Requested query string is too long.

This is strange as 1, we're not signing in we're signing out, and 2, why can't it handle the long msg and how can I get it to accept it?

I'm hoping you've encountered this issue before as any help would be much appreciated!

Regards,
Demian

56951-image.png

Here's the pac4j generated rdirect URL:

https://login.microsoftonline.com/{ID}/saml2?SAMLRequest=nVhZk6PGln7nV3RUR8yLopodSTXuvpPsSAIJsevlBpvYQWKHXz9I5Wq32%2Fa1Z16I3M7Js3%2BH%2FOVfY5F%2F6sO6Sary6wv6BXn5FJZ%2BFSRl9PXF0PnXzcu%2FvkG%2FNG6RY7e3QxVVXXsO713YtJ%2FY5ZOUbvskjdv21rzBcF5FSfmlSPy6aqprW5V5UoZf%2FKqAccLHvWsYvF5d0n8lKCJ83RKe93pdY5uQcn032Ibw86KXTxL79eXfWDP3sU9FCRUhge%2BXftuFtzSMk6l1p3JI7%2Fnaz%2BdwOd00XSiVTeuW7dcXDMHQVwR9RQkdwd4w9I0kv5Aoenn5ZH7oiT30XDQvm7d3zb6%2BdHX5VrlN0ryVbhE2b63%2FpgH58LYcfbvVVVv5Vf7y7d0Qb88L6x85%2FGcGbtOE9cNOL98%2B7BSE%2FRc3D0ciKR7WedsSBP4L%2FCP7b78EzZuWRIuFuzr89bKgeTf1wmEYhi8D%2FqWqIxhDEARGtvByJmiS6PPL4rJficNAKq%2FV%2B5xxy6pMfDdP5qfX5LCNq%2BATyKOqTtq4%2BAvWKIwiD9av4ei%2F%2BihRfn6Bf7vgKd0%2F5oQQH0K%2BFlUdfq4b97WJXYykPniew2tYLzEYfjLO0teXz%2F84DN7J9dotm2tVF81P878V7ncWDMs%2BzKvbEq3Nh44fAv5zjn9hOPhPxGSTaMmm%2F6MZFyt9%2Fr3x3tmYbt6F3ywhhVnHgrf3guYkkHPcZnR1rs9PxiDSaNsftPZ2pxVpiL4%2BZfqR%2BF3K7774df5zQH33%2F69E%2B7FRmSsLJP02Hn3FtJvrpYhO4EJoKxY4gcO1e26S5qyipaAQx%2FU0jie2EvFiEcqYMhnITqCcFUMSqv%2F6PAb%2FDYVmxBTXcLW52aejO2xRGznyW7%2B8InVH3dMJiMWlRRt0TaMrI9zMvY2Eh8ght7fV5lKljBeCcvSO9NoMf%2BXY%2BqEyuVftOKHj%2Fj7tPZ4iNBfbnksR165x2SnuxK0N%2FHRMEFLXafF61ker6UzeGYK88GSfOt4Y95LdZf%2Bd49xsbpSzZjMJV8W9GOAkhXqdmQwSlsZ3iz0yx00Sd2rbX697DmMvJE9POmBLVMw10qgp7hBuZS4nZiV%2F53jcXbp14Llmr8snnI46r7bgnLTJUfIbt7YGbg4r9evX37zyoxcentmH09NNj7FNIlvWbd3vE%2BZRjK5LIWjDb7Ik8bbOMDRnRWCQaBBJGkBSN1rTfauE9tortzKhy1gPFzJABEa7C5rk4azK0cxgAJmrRmYGOzpSTIgGjg5yU5fPzsADhzVVdc8NqHyx1dKfaN4rlCm0aUTW5EFSn%2FssN97%2BsC9xPAoFQtz7RY6EGu3IMwj5AZlklhvkNBvkWUVklnafazoY5dT%2FvibTzsizQHtIRANZZzC%2BgS52hLgW0jnYtl1UpqUUKHSU3eMsEbYDQgOV4wE4MkDdgMc%2BE%2B2XMQfu8CkQjmCwfQAXaZFQPUtA%2B45VCl5XVsyhy3vHve%2FN4bpVZW8zTajLRSRX7A74yS3iSKb5G%2BKrsdHKYksSgyTCGcka2IE%2BaTGenwcIa4%2FZRSfW%2B7ZsZZPf0XZ9KfSM1ZTtKmaMVc2xRtoOx7zzY9VLNnDMd80dY46lKvrxeDAYubiBHdbFVxJaGXnrbXeGY1413CbOOBfngWXuSlbWRdiKkR4v7bCXcH0QhjssdfvZVUleMNR5fzmrR16NjP3s9F6q3KCmCu5yKxFaB25Cw52303lNKnthbPc6YOqAsTtmKIhSGsiVsPePTVSSAAzraFyKSFQMF0WzR2xnX%2Fa0BBW9zJpmUE%2FIkiu66duqxAIV0BUhMd7MMKBoBjZaQuKMnIAqwotHWBBZiwERAaBGsFNVS6ZVgWEaAQKqwdODTNNRVNMRx9Oqz4IUyA%2BXi2eZBtcNt8zBBzEbqRZNa9HlYqaN6vqbtXMwfNdjTfQEmXh%2BSFJwfRJrMiewwIpordKKW0qLeNB13vnohcXZsvsNlTaVTvc%2FXLwIek5lgRuWsiNB%2B8GhadUQZSAIUhEjgQiow7TtHVwZDkXeBQxKyBPZXOzzfLHI1C%2FzIWDIJdD94TA40m%2F0ewGSsO8M0ou9Q%2F6GQS8zxlNdTlVDmZ4YVqs6xxrzkD3fIE8jUw%2FDmEc6%2FC4buOFJJIEzL3PywABHuBCcDFSJlllfYKZGAKpKR%2B1GXzKClplogHbRb6KCiLOE31RNfVHuPMFEfMzsHHxH%2BqLaefiufKTVUiD2TzogWqEqcSDSaGiravQmYgcg%2BsBDFaxmxUE%2Bl06hMplxtuFgNHwuyJhBBTe6wiZmV%2BHYWQYA8Kh%2Fb5FmGS2JDjSWXkIj4UDfIeSeuGedbYXb2T3owx07H7ebplBa3qEPxlj1Z3miO8ZnJJVBj1Z9z04XHGvRqbjWBnlV3e0U5pA032hUTy31TK9XiLRSVBoFIrLa9MkJJmLTZXRmkO%2BhUeXkfmMcQ5DDh%2BJuu7t8JfWs%2FRAssPd1IBMAAo%2BI5pzhDKTI9ncl1Z1rEd6KOX600XlCcpM7AYBuSNFHkZl2g4pV17TKSKJ0z2Z%2FFr0wEymrdz3cgYwV2zQl0QHR8EI2n1lRH2M0cf6sRANiKesq7Zw8WTvU%2BIroFG8Hkry76Nu5hddQhxPMxmNvelRGd7FGcCoLz26hxwxQdKNLNry48eDjyOuwybgozoUwhg1NEG9Ff9E22KJoiRdUeJ0PPZQ545ag47GDBaegi1oQ10fpuq0Wtkqd2VR6NeBm8m73PuJWjcCedvdM75mynkjfGkN43ZmsoexFoV%2BvIFtolVtfWZ2GUIzhJ8KRkIe%2B2xa4gfrXcFhf%2FRKmrsKOnuYspT3YrpTG0djFQ3lx4eNdPHojHZjijlehLOxKWkJSh0BHUp9HYTrpnj8nZeCJe2R3d1WnFtUs0vruBMf9SC%2FlqtjCCfDpZkz5Y7rV0kKny44hKSiwdao%2FsuJt5uUnCv8MrH8BtlyWLsUOv3%2BArcpESxWJlkgxj7yPVYc4nEqG%2FRmdGh6wAJY1dZCid1yFuLHlXCu4BQLfSLxyu2BkHIjmdNFowy%2FNOWBo1puIkZ%2BB%2BYGFbHbWTYbWPGy7gKxCS3w0yzRhQ6zOYTIrj8rMYQoLECWvbFaXxp%2FWBi3lDjLIHhWDo2OZMU155FNgvF9Q6awx5lDABLPEfc%2F%2BUZpB%2FCGBkI35T%2FuRapuIK2wn1z6TT4l%2BAGjo7xC6VGR5w9f5IQtxP0fwaK1Uzsze0dkoBM2Oe49ANzajHdYhAWkIx9%2BpIlTU2FkfuPsoJCJDndIg1IsNFSS%2BdyMjC1xRUnBL%2BKSGQjBOQnbML%2BIJ7twLZYGNJo%2BrKUNxiEu04Dy2LrUuGzH1gbibmpDyeaoh99QapUnddTq%2F33r6ZLnKJt1ne5WVLshlE8O3y50wCs7g5m1OOXsRWjCCYnMPi6tyjvWVHd9XA07XvTtgJl%2Fi3J6i8%2BaWcUppAZca95uxUzU76qvb5bRPQL5XdSGQWVX2sRMk64nJ1%2FdKXsfsxuOuw0zDVZmN3Iy0Sp%2Bm8Ema3TojZd%2FqRwlRRGsBV6qmYqbAUNADTMTZbHgHaGhBaPq6dIjAzgbuHaH1d4SOhgUDafgRyCw4PvFT3TzBd%2FH0giPOcP0B0hZncZA%2F00tMSU8Yf6L4DOg4uVSBeB6OyaZ3bWW6TCTyDGAhzw7FAig46FzrnHvleQpsZYFBpfd0sIZ%2BQOEBVE7vimfEZ6v%2BgPHDA4X%2BQKRtp0fk%2B9M28%2FHzc%2Bxg%2FANPB0jB5EEcnuqlS2Mx8BUwxn043sSm8a%2B1RxidGlxhjrcYPjmDwQTPsxHNIYM2A4mOLmWkDotVuAE6Dc7hHecEBh%2FlR%2FAOMgu6HyRmwNlJfpNYGfyJfEp0sKPxUCxZIir5oyGGHh3xYofpMoPNe4ez4RQdzDIrRAcKtHHSfrffklLN0iZkS2vwbkPmgfpIf%2BYVw8i2S7ezZL3FKqyRDY%2F8a35qkf5D1%2FPHkgS95yMHcP1kc1cltdg0EGh7zZjWKshd0ueS3F2KUbiRMmZ3GK14u%2BeSDN%2BJ57Mo7KpOxkxfuOZbSttAehIvLU1f1VUYUG1CWXeOLtp5wK0qcNtoZU7H8BYTnHOrYXSw9%2B24gQdwk%2FqdNrSFmRAyb5CufK81loOo0F3jcoq1vjxVZCoHVFqEliHuN00Fp5VlVOLRiIbOJk4VqjrzCg%2BaOWPv8o24ZvlID%2Fa5sVBkb88nGdIvq%2BZ4An04jQtYFGlmbXJhWqnNORdO18tKoC5UvC7SsECcVWLlmeObxEmyDmgy0MmmcRlPWLovBbttZGhlr9T1AnBcttgXV6j98Z7dC3Kti0vWhewOZFoZUzCr8B2iRl%2B%2F%2Fjm4wL%2F7r4N%2F%2FOP73S%2Fhx4uV4hahxH7iq7pw279%2BrEK%2FoM%2BVJHi9Po%2B%2BhYWb5CAI6rBpXv5fL15BWCRu%2BaWYwrr5n8eTV1Pl3WOreTx8fXG7j2evdxm%2FfTw2asuNyympDMLx279dfLvZUGj46nok8UpgIfXqhj7ySqJXnEJQFycQ5FdGP5F%2BX%2F3d6%2BW3%2FwU%3D&RelayState=https%3A%2F%2Fdev.alex4im.com%3A9443%2FsamlCallback%3Fclient_name%3DSaml2Client&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=Wd06UfyZhrNRCSSI48XiTW8uEfbSupbFYSXmlsoMgY%2FItL%2BEOADf0DBFOjI2AHlS1aI2T2m2bXhSn3ziylZ6cWNfRiqg%2FitosVUCSClcyr%2BqfwgSAe%2FIY4OUu2aI30wNp8iq%2BT5nBMB6GiGL3dDF%2BJ36Ucx6X%2FeZHsBlEZrqiIh0bDZpCnVmblVQOV9IHViDkUKJWy5Y50cKCwHkrXgvS6um0Ogtau02FrEu6mBMk2Mqe6OBT9d2A0NtnQk2Xz0bZqvjZ9OGYOkkpe5sfPfJlMBbekl2DBAjVwZIdzPNesbQEDTlGx%2FgWaTx9duZD80h6wzYG05U11ao1fwrQFN3pw%3D%3D

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 37,266 Reputation points Microsoft Employee Moderator
    2021-01-20T01:13:19.187+00:00

    That's definitely a long string! You can try clearing your browser cookies. Even though it's not an elegant solution it can work as a temporary workaround.

    Ideally if there's a way to redo the logic to issue a shorter request, that would resolve this.

    You could add a limitation to your web.config: 

    <system.webServer>
  <security>
    <requestFiltering>
      <requestLimits maxQueryString="32768"/>
    </requestFiltering>
  </security>
</system.webServer>

    http://www.iis.net/ConfigReference/system.webServer/security/requestFiltering/requestLimits

    And: 

    <httpRuntime maxQueryStringLength="32768" maxUrlLength="65536"/>

    (Max length numbers are just examples.)

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.