You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2022/07/01 17:02:54 UTC

[GitHub] [cloudstack] tampler opened a new issue, #6520: SAML: request header fields are too large against a commercial IdP

tampler opened a new issue, #6520:
URL: https://github.com/apache/cloudstack/issues/6520

   <!--
   Verify first that your issue/request is not already reported on GitHub.
   Also test if the latest release and main branch are affected too.
   Always add information AFTER of these HTML comments, but no need to delete the comments.
   -->
   
   ##### ISSUE TYPE
   <!-- Pick one below and delete the rest -->
    * Bug Report
   
   ##### COMPONENT NAME
   <!--
   Categorize the issue, e.g. API, VR, VPN, UI, etc.
   -->
   ~~~
   Core, API, UI
   ~~~
   
   ##### CLOUDSTACK VERSION
   <!--
   New line separated list of affected versions, commit ID for issues on main branch.
   -->
   
   ~~~
   4.16.1
   ~~~
   
   ##### CONFIGURATION
   <!--
   Information about the configuration if relevant, e.g. basic network, advanced networking, etc.  N/A otherwise
   -->
   
   
   ##### OS / ENVIRONMENT
   <!--
   Information about the environment if relevant, N/A otherwise
   -->
   Ubuntu 21.10
   KVM
   
   ##### SUMMARY
   <!-- Explain the problem/feature briefly -->
   May be related to #6427
   
   When I try to authenticate against a commercial `SAML IdP`, I'm getting the following error in my browser console:
   `Status Code: 431 Request Header Fields Too Large`.
   
   This error occurs when IdP redirects back to ACS with the following link (trimmed): `http://localhost:8080/client/api?command=samlSso?SAMLResponse=PHNhbWxwOlJlc3BvbnNlIH......`
   
   NOTE:
   I created a little SAML2.0 client in GO and was able to successfully authenticate with my provider and my credentials
   
   SAML responses
   Working `demo`  - [here](https://gist.github.com/tampler/64a216f7bac52f8ec5de754d7a2835b4)
   Failing `CloudStack` - [here](https://gist.github.com/tampler/35ace1d02f91796cd8b60e82076953b2)
   
   ##### STEPS TO REPRODUCE
   <!--
   For bugs, show exactly how to reproduce the problem, using a minimal test-case. Use Screenshots if accurate.
   
   For new features, show how the feature would be used.
   -->
   
   <!-- Paste example playbooks or commands between quotes below -->
   ~~~
   1. Enable SAML in global config
   2. Change SAML IdP metadata to the proper IdP link. Validate the IdP metadata link before using
   3. Leave ALL other SAML related parameters default
   4. Reboot mgmt server
   5. Open mgmt login page and select `Single Sign-On`
   6. Pick your IdP
   7. Authenticate with your IdP with login and pass
   8. Right after authn I'm getting redirected to the ACS page, which fails with the error specified
   ~~~
   
   <!-- You can also paste gist.github.com links for larger files -->
   
   ##### EXPECTED RESULTS
   <!-- What did you expect to happen when running the steps above? -->
   
   ~~~
   SAML SSO allows to authenticate 
   ~~~
   
   ##### ACTUAL RESULTS
   <!-- What actually happened? -->
   
   <!-- Paste verbatim command output between quotes below -->
   ~~~
   SAML SSO returns an error code 431
   ~~~
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] tampler commented on issue #6520: SAML: request header fields are too large against a commercial IdP

Posted by GitBox <gi...@apache.org>.

tampler commented on issue #6520:
URL: https://github.com/apache/cloudstack/issues/6520#issuecomment-1172551642

   I'll try this again after upgrading ACS to the latest 4.17


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] rohityadavcloud closed issue #6520: SAML: request header fields are too large against a commercial IdP

Posted by "rohityadavcloud (via GitHub)" <gi...@apache.org>.

rohityadavcloud closed issue #6520: SAML: request header fields are too large against a commercial IdP
URL: https://github.com/apache/cloudstack/issues/6520


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] rohityadavcloud commented on issue #6520: SAML: request header fields are too large against a commercial IdP

Posted by "rohityadavcloud (via GitHub)" <gi...@apache.org>.

rohityadavcloud commented on issue #6520:
URL: https://github.com/apache/cloudstack/issues/6520#issuecomment-1537897016

   I couldn't reproduce this recently with keycloak, shibboleth or azure AD. Pl reopen if you are still hitting this, thanks @tampler 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] kohrar commented on issue #6520: SAML: request header fields are too large against a commercial IdP

Posted by GitBox <gi...@apache.org>.

kohrar commented on issue #6520:
URL: https://github.com/apache/cloudstack/issues/6520#issuecomment-1192812005

   Can you check what headers your browser's sending by looking at the request it's making? Is there a specific size that it begins to fail at?
   
   I've had similar issues with SSO with another application which was caused by the following two things. 
   1. The application was setting many large cookies. Does your browser just have a lot of cookie data that it's sending for each request?
   2. The reverse proxy the application was behind couldn't handle large headers. Are you running CloudStack behind something?
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org