[Use Case]

Access Gateway is used for SAML Federation.
User logon at the IDP first then initiates SAML Federation and gets HTTP 500.
This happens to only certain users (who belongs to many groups).

In the Access Gateway's httpclient.log, following error was observed.

Jun 10, 2021 01:23:45 PM org.apache.coyote.ajp.AjpProcessor process
SEVERE: Error processing request
java.lang.IllegalArgumentException: More than the maximum allowed number of cookies, [200], were detected.
 at org.apache.tomcat.util.http.Cookies.addCookie(Cookies.java:132)
 at org.apache.tomcat.util.http.Cookies.processCookieHeader(Cookies.java:507)
 at org.apache.tomcat.util.http.Cookies.processCookies(Cookies.java:198)
 at org.apache.tomcat.util.http.Cookies.getCookieCount(Cookies.java:119)
 at org.apache.catalina.connector.CoyoteAdapter.parseSessionCookiesId(CoyoteAdapter.java:1098)
 at org.apache.catalina.connector.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:803)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:440)
 at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190)
 at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
 at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
 at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
 at java.lang.Thread.run(Thread.java:748)

But in fiddler log, there are only few cookies.

Release : 12.8

Component : SITEMINDER -POLICY SERVER

There was an OnAuthAccept response setting cookie(WebAgent-HTTP-Cookie-Variable) with user's group information using "memberOf" attribute.

When initiating SAML Federation, this cookie gets submitted and Tomcat reports exception and fail to handle the request as there were more than 200 cookies in the request.
By default, tomcat handles request with upto maximum of 200 cookies.

Following configuration changed was applied to httpd-ssl.conf in Access Gateway to log the incoming cookies in the request.

After restarting Access Gateway and reproducing the issue, following was captured in the ssl_request.log

There were 246 commas in the GroupCookie value.
When there are special characters in the cookie name or value, they must be escaped or wrapped with double quotes.
But this cookie that was set by a web server that did not have any escaping or wrapping in place.
As a result, tomcat saw the commas as cookie separators and there were more than 200 of them.

1. Check the web server that is setting the cookie and see if it can wrap the value.
2. Use Access Gateway to set the response cookie (Access Gateway will wrap it when there are special characters, this would also mean the login will need to be processed by the Access Gateway)
3. Set HTTP header response(WebAgent-HTTP-Header-Variable) instead of cookie response(WebAgent-HTTP-Cookie-Variable).

Sample of properly wrapped cookie generated by Access Gateway.
Note the \" at the beginning and end of GroupCookie value.