Share via

SP initiated Single Logout with ADFS Help - request query string is too long

demian 1 Reputation point
2021-01-14T22:11:54.333+00:00

Hello,

I'm having an issue with SP initiated Single Logout (SLO) between my application and Azure AD (ADFS).

As per documentation For SLO, ADFS only supports the HTTP-Redirect binding.

When I initiated the logout process from my application, it creates the LogoutRequest (using pac4j), encodes it and attaches it as a SamlRequest to the end of the SLO logout URL as a parameter (example attached)

The issue is when it redirects using this URL, I get an error page (screenshot attached) from ADFS saying:

Sign in

Sorry, but we’re having trouble with signing you in.

AADSTS90015: Requested query string is too long.

This is strange as 1, we're not signing in we're signing out, and 2, why can't it handle the long msg and how can I get it to accept it?

I'm hoping you've encountered this issue before as any help would be much appreciated!

Regards,
Demian

56951-image.png

Here's the pac4j generated rdirect URL:

https://login.microsoftonline.com/{ID}/saml2?SAMLRequest=nVhZk6PGln7nV3RUR8yLopodSTXuvpPsSAIJsevlBpvYQWKHXz9I5Wq32%2Fa1Z16I3M7Js3%2BH%2FOVfY5F%2F6sO6Sary6wv6BXn5FJZ%2BFSRl9PXF0PnXzcu%2FvkG%2FNG6RY7e3QxVVXXsO713YtJ%2FY5ZOUbvskjdv21rzBcF5FSfmlSPy6aqprW5V5UoZf%2FKqAccLHvWsYvF5d0n8lKCJ83RKe93pdY5uQcn032Ibw86KXTxL79eXfWDP3sU9FCRUhge%2BXftuFtzSMk6l1p3JI7%2Fnaz%2BdwOd00XSiVTeuW7dcXDMHQVwR9RQkdwd4w9I0kv5Aoenn5ZH7oiT30XDQvm7d3zb6%2BdHX5VrlN0ryVbhE2b63%2FpgH58LYcfbvVVVv5Vf7y7d0Qb88L6x85%2FGcGbtOE9cNOL98%2B7BSE%2FRc3D0ciKR7WedsSBP4L%2FCP7b78EzZuWRIuFuzr89bKgeTf1wmEYhi8D%2FqWqIxhDEARGtvByJmiS6PPL4rJficNAKq%2FV%2B5xxy6pMfDdP5qfX5LCNq%2BATyKOqTtq4%2BAvWKIwiD9av4ei%2F%2BihRfn6Bf7vgKd0%2F5oQQH0K%2BFlUdfq4b97WJXYykPniew2tYLzEYfjLO0teXz%2F84DN7J9dotm2tVF81P878V7ncWDMs%2BzKvbEq3Nh44fAv5zjn9hOPhPxGSTaMmm%2F6MZFyt9%2Fr3x3tmYbt6F3ywhhVnHgrf3guYkkHPcZnR1rs9PxiDSaNsftPZ2pxVpiL4%2BZfqR%2BF3K7774df5zQH33%2F69E%2B7FRmSsLJP02Hn3FtJvrpYhO4EJoKxY4gcO1e26S5qyipaAQx%2FU0jie2EvFiEcqYMhnITqCcFUMSqv%2F6PAb%2FDYVmxBTXcLW52aejO2xRGznyW7%2B8InVH3dMJiMWlRRt0TaMrI9zMvY2Eh8ght7fV5lKljBeCcvSO9NoMf%2BXY%2BqEyuVftOKHj%2Fj7tPZ4iNBfbnksR165x2SnuxK0N%2FHRMEFLXafF61ker6UzeGYK88GSfOt4Y95LdZf%2Bd49xsbpSzZjMJV8W9GOAkhXqdmQwSlsZ3iz0yx00Sd2rbX697DmMvJE9POmBLVMw10qgp7hBuZS4nZiV%2F53jcXbp14Llmr8snnI46r7bgnLTJUfIbt7YGbg4r9evX37zyoxcentmH09NNj7FNIlvWbd3vE%2BZRjK5LIWjDb7Ik8bbOMDRnRWCQaBBJGkBSN1rTfauE9tortzKhy1gPFzJABEa7C5rk4azK0cxgAJmrRmYGOzpSTIgGjg5yU5fPzsADhzVVdc8NqHyx1dKfaN4rlCm0aUTW5EFSn%2FssN97%2BsC9xPAoFQtz7RY6EGu3IMwj5AZlklhvkNBvkWUVklnafazoY5dT%2FvibTzsizQHtIRANZZzC%2BgS52hLgW0jnYtl1UpqUUKHSU3eMsEbYDQgOV4wE4MkDdgMc%2BE%2B2XMQfu8CkQjmCwfQAXaZFQPUtA%2B45VCl5XVsyhy3vHve%2FN4bpVZW8zTajLRSRX7A74yS3iSKb5G%2BKrsdHKYksSgyTCGcka2IE%2BaTGenwcIa4%2FZRSfW%2B7ZsZZPf0XZ9KfSM1ZTtKmaMVc2xRtoOx7zzY9VLNnDMd80dY46lKvrxeDAYubiBHdbFVxJaGXnrbXeGY1413CbOOBfngWXuSlbWRdiKkR4v7bCXcH0QhjssdfvZVUleMNR5fzmrR16NjP3s9F6q3KCmCu5yKxFaB25Cw52303lNKnthbPc6YOqAsTtmKIhSGsiVsPePTVSSAAzraFyKSFQMF0WzR2xnX%2Fa0BBW9zJpmUE%2FIkiu66duqxAIV0BUhMd7MMKBoBjZaQuKMnIAqwotHWBBZiwERAaBGsFNVS6ZVgWEaAQKqwdODTNNRVNMRx9Oqz4IUyA%2BXi2eZBtcNt8zBBzEbqRZNa9HlYqaN6vqbtXMwfNdjTfQEmXh%2BSFJwfRJrMiewwIpordKKW0qLeNB13vnohcXZsvsNlTaVTvc%2FXLwIek5lgRuWsiNB%2B8GhadUQZSAIUhEjgQiow7TtHVwZDkXeBQxKyBPZXOzzfLHI1C%2FzIWDIJdD94TA40m%2F0ewGSsO8M0ou9Q%2F6GQS8zxlNdTlVDmZ4YVqs6xxrzkD3fIE8jUw%2FDmEc6%2FC4buOFJJIEzL3PywABHuBCcDFSJlllfYKZGAKpKR%2B1GXzKClplogHbRb6KCiLOE31RNfVHuPMFEfMzsHHxH%2BqLaefiufKTVUiD2TzogWqEqcSDSaGiravQmYgcg%2BsBDFaxmxUE%2Bl06hMplxtuFgNHwuyJhBBTe6wiZmV%2BHYWQYA8Kh%2Fb5FmGS2JDjSWXkIj4UDfIeSeuGedbYXb2T3owx07H7ebplBa3qEPxlj1Z3miO8ZnJJVBj1Z9z04XHGvRqbjWBnlV3e0U5pA032hUTy31TK9XiLRSVBoFIrLa9MkJJmLTZXRmkO%2BhUeXkfmMcQ5DDh%2BJuu7t8JfWs%2FRAssPd1IBMAAo%2BI5pzhDKTI9ncl1Z1rEd6KOX600XlCcpM7AYBuSNFHkZl2g4pV17TKSKJ0z2Z%2FFr0wEymrdz3cgYwV2zQl0QHR8EI2n1lRH2M0cf6sRANiKesq7Zw8WTvU%2BIroFG8Hkry76Nu5hddQhxPMxmNvelRGd7FGcCoLz26hxwxQdKNLNry48eDjyOuwybgozoUwhg1NEG9Ff9E22KJoiRdUeJ0PPZQ545ag47GDBaegi1oQ10fpuq0Wtkqd2VR6NeBm8m73PuJWjcCedvdM75mynkjfGkN43ZmsoexFoV%2BvIFtolVtfWZ2GUIzhJ8KRkIe%2B2xa4gfrXcFhf%2FRKmrsKOnuYspT3YrpTG0djFQ3lx4eNdPHojHZjijlehLOxKWkJSh0BHUp9HYTrpnj8nZeCJe2R3d1WnFtUs0vruBMf9SC%2FlqtjCCfDpZkz5Y7rV0kKny44hKSiwdao%2FsuJt5uUnCv8MrH8BtlyWLsUOv3%2BArcpESxWJlkgxj7yPVYc4nEqG%2FRmdGh6wAJY1dZCid1yFuLHlXCu4BQLfSLxyu2BkHIjmdNFowy%2FNOWBo1puIkZ%2BB%2BYGFbHbWTYbWPGy7gKxCS3w0yzRhQ6zOYTIrj8rMYQoLECWvbFaXxp%2FWBi3lDjLIHhWDo2OZMU155FNgvF9Q6awx5lDABLPEfc%2F%2BUZpB%2FCGBkI35T%2FuRapuIK2wn1z6TT4l%2BAGjo7xC6VGR5w9f5IQtxP0fwaK1Uzsze0dkoBM2Oe49ANzajHdYhAWkIx9%2BpIlTU2FkfuPsoJCJDndIg1IsNFSS%2BdyMjC1xRUnBL%2BKSGQjBOQnbML%2BIJ7twLZYGNJo%2BrKUNxiEu04Dy2LrUuGzH1gbibmpDyeaoh99QapUnddTq%2F33r6ZLnKJt1ne5WVLshlE8O3y50wCs7g5m1OOXsRWjCCYnMPi6tyjvWVHd9XA07XvTtgJl%2Fi3J6i8%2BaWcUppAZca95uxUzU76qvb5bRPQL5XdSGQWVX2sRMk64nJ1%2FdKXsfsxuOuw0zDVZmN3Iy0Sp%2Bm8Ema3TojZd%2FqRwlRRGsBV6qmYqbAUNADTMTZbHgHaGhBaPq6dIjAzgbuHaH1d4SOhgUDafgRyCw4PvFT3TzBd%2FH0giPOcP0B0hZncZA%2F00tMSU8Yf6L4DOg4uVSBeB6OyaZ3bWW6TCTyDGAhzw7FAig46FzrnHvleQpsZYFBpfd0sIZ%2BQOEBVE7vimfEZ6v%2BgPHDA4X%2BQKRtp0fk%2B9M28%2FHzc%2Bxg%2FANPB0jB5EEcnuqlS2Mx8BUwxn043sSm8a%2B1RxidGlxhjrcYPjmDwQTPsxHNIYM2A4mOLmWkDotVuAE6Dc7hHecEBh%2FlR%2FAOMgu6HyRmwNlJfpNYGfyJfEp0sKPxUCxZIir5oyGGHh3xYofpMoPNe4ez4RQdzDIrRAcKtHHSfrffklLN0iZkS2vwbkPmgfpIf%2BYVw8i2S7ezZL3FKqyRDY%2F8a35qkf5D1%2FPHkgS95yMHcP1kc1cltdg0EGh7zZjWKshd0ueS3F2KUbiRMmZ3GK14u%2BeSDN%2BJ57Mo7KpOxkxfuOZbSttAehIvLU1f1VUYUG1CWXeOLtp5wK0qcNtoZU7H8BYTnHOrYXSw9%2B24gQdwk%2FqdNrSFmRAyb5CufK81loOo0F3jcoq1vjxVZCoHVFqEliHuN00Fp5VlVOLRiIbOJk4VqjrzCg%2BaOWPv8o24ZvlID%2Fa5sVBkb88nGdIvq%2BZ4An04jQtYFGlmbXJhWqnNORdO18tKoC5UvC7SsECcVWLlmeObxEmyDmgy0MmmcRlPWLovBbttZGhlr9T1AnBcttgXV6j98Z7dC3Kti0vWhewOZFoZUzCr8B2iRl%2B%2F%2Fjm4wL%2F7r4N%2F%2FOP73S%2Fhx4uV4hahxH7iq7pw279%2BrEK%2FoM%2BVJHi9Po%2B%2BhYWb5CAI6rBpXv5fL15BWCRu%2BaWYwrr5n8eTV1Pl3WOreTx8fXG7j2evdxm%2FfTw2asuNyympDMLx279dfLvZUGj46nok8UpgIfXqhj7ySqJXnEJQFycQ5FdGP5F%2BX%2F3d6%2BW3%2FwU%3D&RelayState=https%3A%2F%2Fdev.alex4im.com%3A9443%2FsamlCallback%3Fclient_name%3DSaml2Client&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=Wd06UfyZhrNRCSSI48XiTW8uEfbSupbFYSXmlsoMgY%2FItL%2BEOADf0DBFOjI2AHlS1aI2T2m2bXhSn3ziylZ6cWNfRiqg%2FitosVUCSClcyr%2BqfwgSAe%2FIY4OUu2aI30wNp8iq%2BT5nBMB6GiGL3dDF%2BJ36Ucx6X%2FeZHsBlEZrqiIh0bDZpCnVmblVQOV9IHViDkUKJWy5Y50cKCwHkrXgvS6um0Ogtau02FrEu6mBMk2Mqe6OBT9d2A0NtnQk2Xz0bZqvjZ9OGYOkkpe5sfPfJlMBbekl2DBAjVwZIdzPNesbQEDTlGx%2FgWaTx9duZD80h6wzYG05U11ao1fwrQFN3pw%3D%3D

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,842 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 34,711 Reputation points Microsoft Employee
    2021-01-20T01:13:19.187+00:00

    That's definitely a long string! You can try clearing your browser cookies. Even though it's not an elegant solution it can work as a temporary workaround.

    Ideally if there's a way to redo the logic to issue a shorter request, that would resolve this.

    You could add a limitation to your web.config: 

    <system.webServer>
  <security>
    <requestFiltering>
      <requestLimits maxQueryString="32768"/>
    </requestFiltering>
  </security>
</system.webServer>

    http://www.iis.net/ConfigReference/system.webServer/security/requestFiltering/requestLimits

    And: 

    <httpRuntime maxQueryStringLength="32768" maxUrlLength="65536"/>

    (Max length numbers are just examples.)