macOS users seeing "Bad Request" message during SAML authentication indicating that the size of request header field exceeds server limits
Article ID: 266001
Updated On: 11-03-2023
Products
Issue/Introduction
Windows and macOS users accessing web sites via Cloud SWG using WSS Agents.
Cloud SWG uses SAML to authenticate WSS Agent users, where SAML IDP server is a 3rd party, on premise IDP server that can be accessed internally and externally.
For external access, users will access a reverse proxy / Web Application Firewall in the DMZ where traffic is proxied to the internal SAML IDP servers.
Some macOS users report seeing the following "Bad Request" error indicating that "Your browser sent a request that this server could not understand. Size of a request header field exceeds server limits" as shown below:
The error remains even after user clicks on the “Reload” button, or does a “Reconnect” of the WSS Agent. The only way to solve problem is to reboot the macOS device.
Kerberos authentication enabled to the SAML IDP server. The kerberos token, included in the Authorization HTTP header, can include group information and hence can be large. This is indeed the case when looking at HAR files in the failing case.
SAML IDP server configuration does not restrict HTTP header sizes.
Environment
WSS Agents on macOS.
SAML Authentication.
Cause
Reverse Proxy/WAF fronting the SAML IDP server restricting inbound maximum HTTP header size.
Resolution
Increase the HTTP max header size on Reverse Proxy/WAF from 8kB to 32kB.
These RP/WAF are DenyAll devices.
NOTE: It is also common for Tomcat based IDP servers to restrict HTTP header sizes to 8k by default (maxHttpHeaderSize at https://tomcat.apache.org/tomcat-8.0-doc/config/http.html). If you have Kerberos based authentication to the IDP server, and your kerberos token includes a lot of group information, it si recommended to increase this maxHttpHeaderSize parameter value to 32k).
Feedback
