Skip to content
English
Contact Support
  • There are no suggestions because the search field is empty.

SSO Troubleshooting: Maximum Querystring Length Error

Learn how to resolve errors caused by long SAML requests during SP‑initiated SSO

What This Error Means

This issue can appear in different ways depending on how your identity provider and infrastructure are configured. In some cases, you may not see a clear error message at all.

Common symptoms include:

  • IdP‑initiated SSO works, but SP‑initiated SSO fails
  • A 404 Page Not Found error appears, even though the URL is correct
  • A 400 Bad Request error is returned during SP‑initiated SSO

Why This Happens

Some systems enforce a maximum length for request query strings. In many environments—especially Microsoft‑based systems—the default limit is 2,048 characters.

During SP‑initiated SSO, Foundry sends a SAML authentication request (AuthnRequest) to your identity provider using a query string parameter. This request is:

  • Encoded
  • Digitally signed
  • Appended to the URL

Because Foundry signs the AuthnRequest, the query string often exceeds 3,000–4,000 characters. The signature adds additional XML, including Foundry’s X.509 certificate and related signature data.

If your system cannot accept a query string of this length, it may reject the request and return a misleading error such as a 404 or 400.

Why IdP‑Initiated SSO Still Works

In IdP‑initiated SSO, the authentication request starts from your identity provider. Foundry does not send a large signed request in the URL, so query string length limits are not triggered.

How to Resolve the Issue

To resolve this issue, increase the maximum allowed query string length in your system configuration.

If your environment is running Microsoft .NET, you may need to update settings in your web.config file.

Helpful resources include:

  • “The length of the query string for this request exceeds the configured maxQueryStringLength value”
    This resource includes examples for updating both the httpRuntime and requestFiltering settings.
  • “ASP.NET MVC, URL Routing: Maximum Path (URL) Length”
    This explains how ASP.NET handles long URLs and how to configure maxUrlLength and maxQueryStringLength.

If you are using PortalGuard, refer to their documentation on resolving 404 errors caused by query string length limits during SSO.

Important Configuration Notes

When making changes:

  • Update both the system.web and system.webServer sections of your configuration file
  • Restart IIS after saving changes
  • Test SP‑initiated SSO again to confirm the issue is resolved