
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>

</head>

<body dir="ltr">

<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">

<p style="margin-top:0;margin-bottom:0">Thanks, Nate</p>

<p style="margin-top:0;margin-bottom:0"><br>

</p>

<p style="margin-top:0;margin-bottom:0">I haven't tried increasing the setting yet. It's a non-trivial exercise since I'll need to work out how to code it into the environment-specific section of our Shibboleth repository. But I'll do it if necessary.</p>

<p style="margin-top:0;margin-bottom:0"><br>

</p>

<p style="margin-top:0;margin-bottom:0">I'll investigate some more based on your request line advice</p>

<p style="margin-top:0;margin-bottom:0"><br>

</p>

<p style="margin-top:0;margin-bottom:0">Thanks again,</p>

<p style="margin-top:0;margin-bottom:0"><br>

</p>

<p style="margin-top:0;margin-bottom:0"><br>

</p>

<div id="Signature">

<div id="divtagdefaultwrapper" dir="ltr" style="font-size: 12pt; color: rgb(0, 0, 0); font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols;">

<p><span id="ms-rterangepaste-start"></span></p>

<div style="color:rgb(34,34,34); font-family:arial,sans-serif; font-size:12.8px">

<div class="m_-2014218279048943552gmail_signature">

<div dir="ltr">

<div dir="ltr">

<div dir="ltr">

<div dir="ltr">

<div dir="ltr">

<div dir="ltr">

<div dir="ltr">

<div dir="ltr">

<div style="font-size:12.8px"><span style="font-size:12.8px">--</span></div>

<div style="font-size:12.8px"><span style="font-size:12.8px">Kylie Lunghusen</span><br>

</div>

<div><font size="1" face="arial, helvetica, sans-serif">Technical Tools Administrator, University Operations</font></div>

<div><font size="1" face="arial, helvetica, sans-serif">Information Technology Services, RMIT University</font></div>

<div><font size="1" face="arial, helvetica, sans-serif"><br>

</font></div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

<span id="ms-rterangepaste-end"></span><br>

<p></p>

</div>

</div>

<br>

<br>

<div style="color: rgb(0, 0, 0);">

<hr style="display:inline-block;width:98%" tabindex="-1">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> users <users-bounces@shibboleth.net> on behalf of Nate Klingenstein <ndk@sudonym.me><br>

<b>Sent:</b> Friday, 7 September 2018 2:46 PM<br>

<b>To:</b> Shib Users<br>

<b>Subject:</b> Re: Bad Message 431 in a single SP environment</font>

<div> </div>

</div>

<meta content="text/html; charset=utf-8">

<div>

<div dir="ltr">

<div dir="ltr">

<div>Kylie,</div>

<div><br>

</div>

<div>That's a new one for me.  These are just some observations.<br>

</div>

<div><br>

</div>

<div>First, I think that's the right setting to be examining.  Have you tried simply increasing the maximum header size setting in Jetty in your test environment as a sanity check?<br>

</div>

<div><br>

</div>

<div>I would suppose that the reason it works on the first login but not subsequent logins is that the second cycle has an SSO session and other cookies set by the IdP, Jetty, or whatever else is involved in the first round-trip.</div>

<div><br>

</div>

<div>Second, according to the second answer at:<br>

</div>

<div><br>

</div>

<div><a href="https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F686217%2Fmaximum-on-http-header-values&data=02%7C01%7C%7C7da9e02f9f4d4ceac8c708d6147d0a76%7Cd1323671cdbe4417b4d4bdb24b51316b%7C0%7C0%7C636718924655545369&sdata=V1InXmOTIyK0m%2B0QD%2Bt5KDgSwIGKAsmsfeowrNuAwm8%3D&reserved=0" originalsrc="https://stackoverflow.com/questions/686217/maximum-on-http-header-values" shash="TpZumbGnjzHFXY096UKJ08SbpxP/3zK8LdoqnuNdTmgPGvmITAjTBOYt4No8gxU60ZnSQVCtUT17sIlFYlIRQ4eSLl4bqc3QONTlQauC0ptAOj0pjfoyQyC0y5XqGUoZvOr8IWPnKBN2RJkSecqOauwLTceBqDWDMgSTbGVCGBA=">https://stackoverflow.com/questions/686217/maximum-on-http-header-values</a></div>

<div><br>

</div>

<div>the limit applies to the sum of the headers *and* the request line for most web servers, and as HTTP-Redirect bound SAML AuthnRequests can be of decent size, that 500 byte overhead is not that significant.  An example AuthnRequest from SAMLtest:</div>

<div><span></span>

<p style="margin-bottom:0in; line-height:100%"><a href="https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamltest.id%2Fidp%2Fprofile%2FSAML2%2FRedirect%2FSSO%3FSAMLRequest%3DfZFfa4MwFMW%252FiuS9jdrWaqiCax9W6Fapbg97GVGvM6CJy4378%252B2ntYMORt8COed3OOdukLdNx%252BLe1PIE7z2gsb7aRiI7f4Sk15IpjgKZ5C0gMwVL44cDc%252Bc267QyqlANsWJE0EYouVUS%252BxZ0CvpDFPB0OoSkNqZDRulINEPAXJQ0rUWeqwZMPUdUdES6NDmmGbF2g0RIPtL%252B94qyo0N0JRq4GE9QCg2FoWl6JNZ%252BF5JX382XXrXIK8%252BrgFee7zi%252BGwSrvFytS75yBxliD3uJhksTEtd2%252FJkdzOx1Zi%252FZImAL94VYyaXhnZClkG%252B358gnEbL7LEtmU5ln0HguMghItBlrsHOwvpr5Npb%252Fbkui%252F9YY3xS7Db1iT0Edexxg%252B12iGlF8W3HTqM%252BtBm4gJA6h0WT5e%252FzoBw%253D%253D%26RelayState%3Dss%253Amem%253A0002e12f35f8cedebf8403e8ac65e9c79522daf1d66940bc73088ba7c8296f65&data=02%7C01%7C%7C7da9e02f9f4d4ceac8c708d6147d0a76%7Cd1323671cdbe4417b4d4bdb24b51316b%7C0%7C0%7C636718924655555377&sdata=SNvsZuUN6b28z39DiYhF7SHr1jBbY8056Jbt%2FgUz2t0%3D&reserved=0" originalsrc="https://samltest.id/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZFfa4MwFMW%2FiuS9jdrWaqiCax9W6Fapbg97GVGvM6CJy4378%2B2ntYMORt8COed3OOdukLdNx%2BLe1PIE7z2gsb7aRiI7f4Sk15IpjgKZ5C0gMwVL44cDc%2Bc267QyqlANsWJE0EYouVUS%2BxZ0CvpDFPB0OoSkNqZDRulINEPAXJQ0rUWeqwZMPUdUdES6NDmmGbF2g0RIPtL%2B94qyo0N0JRq4GE9QCg2FoWl6JNZ%2BF5JX382XXrXIK8%2BrgFee7zi%2BGwSrvFytS75yBxliD3uJhksTEtd2%2FJkdzOx1Zi%2FZImAL94VYyaXhnZClkG%2B358gnEbL7LEtmU5ln0HguMghItBlrsHOwvpr5Npb%2Fbkui%2F9YY3xS7Db1iT0Edexxg%2B12iGlF8W3HTqM%2BtBm4gJA6h0WT5e%2FzoBw%3D%3D&RelayState=ss%3Amem%3A0002e12f35f8cedebf8403e8ac65e9c79522daf1d66940bc73088ba7c8296f65" shash="NLY4DzJTXG40+Oj1MNQqRbkOQGA46coz98tFM0bFjTWN/IjP/miTBAszuoxTkONbjfPzkCvmQAFRuufx8O+HvV7/LR21fMONiCvnbAeStuhm2Yh3qA8DX2LiHuzLM6PHaP42DX7+UFtDwPrDr4Paizm5rB+JZYE5i0JYFIZx+xU=">https://samltest.id/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZFfa4MwFMW%2FiuS9jdrWaqiCax9W6Fapbg97GVGvM6CJy4378%2B2ntYMORt8COed3OOdukLdNx%2BLe1PIE7z2gsb7aRiI7f4Sk15IpjgKZ5C0gMwVL44cDc%2Bc267QyqlANsWJE0EYouVUS%2BxZ0CvpDFPB0OoSkNqZDRulINEPAXJQ0rUWeqwZMPUdUdES6NDmmGbF2g0RIPtL%2B94qyo0N0JRq4GE9QCg2FoWl6JNZ%2BF5JX382XXrXIK8%2BrgFee7zi%2BGwSrvFytS75yBxliD3uJhksTEtd2%2FJkdzOx1Zi%2FZImAL94VYyaXhnZClkG%2B358gnEbL7LEtmU5ln0HguMghItBlrsHOwvpr5Npb%2Fbkui%2F9YY3xS7Db1iT0Edexxg%2B12iGlF8W3HTqM%2BtBm4gJA6h0WT5e%2FzoBw%3D%3D&RelayState=ss%3Amem%3A0002e12f35f8cedebf8403e8ac65e9c79522daf1d66940bc73088ba7c8296f65</a></p>

</div>

<div><br>

</div>

<div>is 604 bytes.  That would be just about right given the 150 byte discrepancy between test and prod and and 500 byte headroom.</div>

<div><br>

</div>

<div>That's where I'd start, but I haven't encountered this issue myself before, nor do I recall it coming up on the list before.</div>

<div><br>

</div>

<div>I hope this isn't too wrong,<br>

</div>

<div>Nate.<br>

<br>

</div>

<div><br>

</div>

</div>

</div>

<div class="x_gmail_extra"><br>

<div class="x_gmail_quote">On Fri, Sep 7, 2018 at 2:32 AM, Kylie Lunghusen <span dir="ltr">

<<a href="mailto:kylie.lunghusen@rmit.edu.au" target="_blank">kylie.lunghusen@rmit.edu.au</a>></span> wrote:<br>

<blockquote class="x_gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">

<div dir="ltr">

<div id="x_m_1847839622267762202divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:#000000; font-family:Calibri,Helvetica,sans-serif">

<p style="margin-top:0; margin-bottom:0"></p>

<div>Hi folks,</div>

<div><br>

</div>

<div>We've got a problem in which the Test and Production versions of a particular SP behave differently.</div>

<div><br>

</div>

<div>Background:</div>

<div>SP [ORG]-test.[APP].com.au uses our Test IdP</div>

<div>SP [ORG].[APP].com.au user our Production IdP</div>

<div>(Both IdPs defer to CAS/AD for authentication.)</div>

<div><br>

</div>

<div>Problem:</div>

<div>Production SP works fine.</div>

<div>On first login to the Test SP, it works. On subsequent logins, it gives the error:</div>

<div>"Bad Message 431</div>

<div>reason: Request Header Fields Too Large"</div>

<div>This behaviour is consistent, and applies across browsers and operating systems.</div>

<div><br>

</div>

<div>Investigations so far:</div>

<div>* I'm told the SPs are configured more or less identically.</div>

<div>* requestHeaderSize in jetty.xml is set to 8192 on all of our IdP environments.</div>

<div>* In second-access request headers captured via Dev Tools, the Test headers are usually slightly longer than the Prod ones, but still well below 8192 (eg. Test 7627, Prod 7458).</div>

<div><br>

</div>

<div>Only things I can think of are:</div>

<div>* requestHeaderSize is not the only setting (or is the wrong setting) to be checking?</div>

<div>* There are wrappers that make the thing bigger than it looks (like the way an email in transit is bigger than in the inbox)?</div>

<div>* Bytes != characters (I know some characters use two bytes, dunno if that includes any of these ones) so the Test headers really are over 8192?</div>

<div>(Apologies if stupid questions, am learning on the job with no mentor.)</div>

<div><br>

</div>

<div>I've failed to answer these questions via Googling, so it's time to ask the folks who know a lot more than I do.</div>

<div><br>

</div>

<div>Any ideas on what/where I should be checking?</div>

<div><br>

</div>

<div>Thanks,</div>

<div><br>

</div>

<div>K</div>

<br>

<p></p>

<p style="margin-top:0; margin-bottom:0"><br>

</p>

<div id="x_m_1847839622267762202Signature">

<div id="x_m_1847839622267762202divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,EmojiFont,"Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">

<p></p>

<div style="color:rgb(34,34,34); font-family:arial,sans-serif; font-size:12.8px">

<div class="x_m_1847839622267762202m_-2014218279048943552gmail_signature">

<div dir="ltr">

<div dir="ltr">

<div dir="ltr">

<div dir="ltr">

<div dir="ltr">

<div dir="ltr">

<div dir="ltr">

<div dir="ltr">

<div style="font-size:12.8px"><span style="font-size:12.8px">--</span></div>

<div style="font-size:12.8px"><span style="font-size:12.8px">Kylie Lunghusen</span><br>

</div>

<div><font size="1" face="arial, helvetica, sans-serif">Technical Tools Administrator, University Operations</font></div>

<div><font size="1" face="arial, helvetica, sans-serif">Information Technology Services, RMIT University</font></div>

<div><font size="1" face="arial, helvetica, sans-serif"><br>

</font></div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

<br>

<p></p>

</div>

</div>

</div>

</div>

<br>

-- <br>

For Consortium Member technical support, see <a href="https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg&data=02%7C01%7C%7C7da9e02f9f4d4ceac8c708d6147d0a76%7Cd1323671cdbe4417b4d4bdb24b51316b%7C0%7C0%7C636718924655565389&sdata=PYMbviiXB3O3jMvBfgm2TF3eSUjuNq1Hr%2BVzpnF9co8%3D&reserved=0" originalsrc="https://wiki.shibboleth.net/confluence/x/coFAAg" shash="IoeDTELj8rbPjWWEvFn5dJ26Cs/67a+ebPzXuhwCYHAR2wnqXAuAX1qAkZZmEoEy57KKXox+Tu8wNNO3WLhJR+j/bLecicVwRLvWxIfMDBzvzxYZuHg+iEt/r3OuyoiftNPpKNPBfvURKeSkzBBbIT5H6O88KBvMrqqytHz7emE=" rel="noreferrer" target="_blank">

https://wiki.shibboleth.net/<wbr>confluence/x/coFAAg</a><br>

To unsubscribe from this list send an email to <a href="mailto:users-unsubscribe@shibboleth.net">

users-unsubscribe@shibboleth.<wbr>net</a><br>

</blockquote>

</div>

<br>

</div>

</div>

</div>

</div>

</body>

</html>