Issue with large HTTP headers for ECP authentication

Mon Dec 10 11:41:03 EST 2018

We recently configured our Shibboleth v3.3.3 instance to authenticate our users to access Microsoft Office 365 services.  However we are having issues with large HTTP header sizes when using Shibboleth ECP.  The issue is related to request and response headers that exceed our maxHttpHeaderSize setting in our tomcat server.xml file.  Initially, we got around the issue by increasing the maxHttpHeaderSize above the default value (8K?).  However, even after increasing the setting to 64K, we still have users who are unable to authenticate to Office 365 due to the issue.  We are reluctant to increase the value any further without a better understanding of what is causing our header to be so large in some cases.

We did some investigating using the Simple SOAP ECP Test script published at https://github.com/unikent-ms1/simple-soap-ecp-test.  I added the "-D headerdump.txt" parameter to the curl command in order to output the headers.  For one test user account that we have, I found that the size of the shib_idp_session_ss cookie was large enough that the headerdump.txt file was more than 8 KB.  I suspect (but do not know) that the same cookie might be even larger for our users for whom a maxHttpHeaderSize of 64 KB is insufficient.  The cookie itself is encrypted, I believe using the Datasealer AES key.  I see that shib_idp_session_ss is the default cookie name for idp.storage.clientPersistentStorageName described in https://wiki.shibboleth.net/confluence/display/IDP30/StorageConfiguration.  I also see that there is an article that appears to be related to our issue at http://www.activedir.org/thread/adfs-request-url-too-long-error/ .  However, I am not sure how to proceed with investigating our issue, whether to keep increasing our maxHttpHeaderSize or do something else.  Why is the information returned in the response even necessary for ECP communications with Office 365 services?

Any ideas of how to proceed?

Carl Daudt, Taylor University

The information in this communication is intended solely for the individual or entity to whom it is addressed. It may contain confidential or legally privileged information. If you are not the intended recipient, any disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited, and may be unlawful. If you have received this communication in error, please notify us immediately by responding to the sender of this email, and then delete it from your system. Taylor University is not liable for the inaccurate or improper transmission of the information contained in this communication or for any delay in its receipt.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20181210/6aef945e/attachment.html>