content length too large error when sending and receiving SAML requests in Identity Cloud or AM (All versions)
The purpose of this article is to provide assistance if you encounter a "content length too large" error when sending and receiving SAML requests in AM. You may also see a "HTTP Status 400 - Content length of the SOAP request is too long" message in the browser.
1 reader recommends this article
Symptoms
The following error is seen in the Identity Cloud debug logs:"payload": { "context": "default", "level": "ERROR", "logger": "org.forgerock.am.saml2.impl.Saml2Proxy", "message": "SAML2Proxy: content length too large", "thread": "http-nio-8080-exec-7", "timestamp": "2022-09-21T15:51:20.185Z", "transactionId": "1770926916925-4326c50350c1fc048ef0-7236316/0" }
Errors similar to the following are shown in the AM debug logs:
- Federation debug log:libSAML:10/11/2021 11:22:07:474 AM CET: Thread[http-nio-8080-exec-1,5,main] HttpRequest content length= 21709 libSAML:10/11/2021 11:22:07:474 AM CET: Thread[http-nio-8080-exec-1,5,main] content length too large21709 libSAML:10/11/2021 11:22:07:474 AM CET: Thread[http-nio-8080-exec-1,5,main] SAMLUtils.sendError: error page/saml2/jsp/saml2error.jsp
- Authentication debug log:amAuthSAML2:10/11/2021 11:22:07:474 AM CET: Thread[http-nio-8080-exec-1,5,main]: TransactionId[49fa5c97-841b-a433-41d5-42f76963c271-417578699] ERROR: SAML2Proxy: content length too large
You may also see the following message in the browser when this occurs:
HTTP Status 400 - Content length of the SOAP request is too longRecent Changes
N/A
Causes
The content length of the SAML request exceeds the value set for the Maximum allowed content length property. The default value for this property is 20480 (bytes).
Solution
This issue can be resolved by increasing the value of the Maximum allowed content length property to a value that is greater than the one reported in the debug log. There is not a recommended value for this property; it is there to prevent exceptionally long requests being processed and you should set it to allow the expected length of requests in your environment.
You can change this property as follows depending on whether you are using Identity Cloud or AM:
Identity Cloud
You can change this property by creating an ESV variable called global-saml-max-content-length
. Set the value of this ESV to the maximum content size you are seeing in your testing.
AM
You can change this property using either the AM admin UI, Amster or ssoadm:
- AM admin UI: navigate to: Configure > Global Services > Common Federation Configuration > Maximum allowed content length and enter a new maximum content length value.
-
Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
- Entity: CommonFederationConfiguration
- Property: maxContentLength
- ssoadm: enter the following command: $ ./ssoadm set-attr-defs -s sunFAMFederationCommon -t global -u [adminID] -f [passwordfile] -a MaxContentLength=[maxlength]replacing [adminID], [passwordfile] and [maxlength] with appropriate values.
Note
You must restart the web application container in which AM runs to apply these configuration changes.
See Also
SAML 2.0 federation in Identity Cloud
Common federation configuration
Related Training
N/A
Related Issue Tracker IDs
N/A