apache
SAML: request header fields are too large against a commercial IdP
ISSUE TYPE
- Bug Report
COMPONENT NAME
Core, API, UI
CLOUDSTACK VERSION
4.16.1
CONFIGURATION
OS / ENVIRONMENT
Ubuntu 21.10 KVM
SUMMARY
May be related to #6427
When I try to authenticate against a commercial SAML IdP, I'm getting the following error in my browser console:
Status Code: 431 Request Header Fields Too Large.
This error occurs when IdP redirects back to ACS with the following link (trimmed): http://localhost:8080/client/api?command=samlSso?SAMLResponse=PHNhbWxwOlJlc3BvbnNlIH......
NOTE: I created a little SAML2.0 client in GO and was able to successfully authenticate with my provider and my credentials
SAML responses
Working demo - here
Failing CloudStack - here
STEPS TO REPRODUCE
1. Enable SAML in global config
2. Change SAML IdP metadata to the proper IdP link. Validate the IdP metadata link before using
3. Leave ALL other SAML related parameters default
4. Reboot mgmt server
5. Open mgmt login page and select `Single Sign-On`
6. Pick your IdP
7. Authenticate with your IdP with login and pass
8. Right after authn I'm getting redirected to the ACS page, which fails with the error specified
EXPECTED RESULTS
SAML SSO allows to authenticate
ACTUAL RESULTS
SAML SSO returns an error code 431
Can you check what headers your browser's sending by looking at the request it's making? Is there a specific size that it begins to fail at?
I've had similar issues with SSO with another application which was caused by the following two things.
- The application was setting many large cookies. Does your browser just have a lot of cookie data that it's sending for each request?
- The reverse proxy the application was behind couldn't handle large headers. Are you running CloudStack behind something?
We couldn't reproduce this recent 4.18 with keycloak, shibboleth or azure AD. Pl reopen if you are still hitting this, thanks @tampler
