404.15 Error on login.fcc during SP-Initiated SAML 2.0 Flow in Web Agent on IIS
search cancel

404.15 Error on login.fcc during SP-Initiated SAML 2.0 Flow in Web Agent on IIS

book

Article ID: 101617

calendar_today

Updated On:

Products

CA Single Sign-On SITEMINDER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder)

Issue/Introduction

When performing a Service Provider (SP) initiated SAML 2.0 login, the browser redirected to the login.fcc page results in a 404 - File or directory not found error.

The login page displays correctly when using an Identity Provider (IdP) initiated URL (which typically lacks heavy query parameters).

The SP-initiated URL fails because it contains long SAML Request parameters.

The total URL length exceeds 2048 characters.

Environment

Web Agent on IIS 7.5 and later;

Cause

The issue is caused by a security restriction in Microsoft IIS known as Request Filtering. By default, IIS limits the length of a query string to 2048 bytes. During an SP-initiated flow, the SAML SAMLRequest or RelayState parameters can easily push the total query string length beyond this limit.

When this limit is exceeded, IIS rejects the request and returns an HTTP 404.15 error (The request filtering module is configured to deny a request where the query string is too long) (1).

Verify the specific error: Check the IIS substatus code.

A standard 404 is generic, but 404.15 explicitly confirms a query string length issue.

SiteMinder FCC limitations:

While IIS is the primary bottleneck here, ensure that your SiteMinder MaxUrlSize settings (in the ACO) are also aligned if complex redirects are in use.

Resolution

To resolve this, increase the maxQueryString limit in the IIS configuration to accommodate the length of the SAML requests.

Method 1: Editing web.config (Recommended)

  1. Locate the web.config file for the website hosting your SiteMinder Web Agent or Access Gateway.
  2. Add or modify the <requestFiltering> section within <system.webServer> as shown below (2)(3):

    <configuration>
       <system.webServer>
          <security>
             <requestFiltering>
                <requestLimits maxQueryString="4096" />
             </requestFiltering>
          </security>
       </system.webServer>
    </configuration>

Method 2: IIS Manager UI

  1. Open IIS Manager and select the site or application.
  2. In the center pane, double-click Request Filtering.
  3. Click Edit Feature Settings... in the right-hand Actions pane.
  4. Update the Maximum query string (Bytes) field to a higher value (e.g., 4096).
  5. Click OK and restart IIS if necessary.

Additional Information

  1. Troubleshooting IIS Status and Substatus Codes

  2. Microsoft Docs: IIS Request Limits <requestLimits>

  3. How to configure the web.config to allow requests of any length

Powered by Wolken Software