Solutions
ForgeRock Identity Platform
ForgeRock Identity Cloud

content length too large error when sending and receiving SAML requests in Identity Cloud or AM (All versions)

Last updated Jan 16, 2023

The purpose of this article is to provide assistance if you encounter a "content length too large" error when sending and receiving SAML requests in AM. You may also see a "HTTP Status 400 - Content length of the SOAP request is too long" message in the browser.

1 reader recommends this article

Symptoms

The following error is seen in the Identity Cloud debug logs:"payload": {   "context": "default",     "level": "ERROR",     "logger": "org.forgerock.am.saml2.impl.Saml2Proxy",     "message": "SAML2Proxy: content length too large",     "thread": "http-nio-8080-exec-7",     "timestamp": "2022-09-21T15:51:20.185Z",     "transactionId": "1770926916925-4326c50350c1fc048ef0-7236316/0" }

Errors similar to the following are shown in the AM debug logs:

  • Federation debug log:libSAML:10/11/2021 11:22:07:474 AM CET: Thread[http-nio-8080-exec-1,5,main] HttpRequest content length= 21709  libSAML:10/11/2021 11:22:07:474 AM CET: Thread[http-nio-8080-exec-1,5,main]  content length too large21709  libSAML:10/11/2021 11:22:07:474 AM CET: Thread[http-nio-8080-exec-1,5,main]  SAMLUtils.sendError: error page/saml2/jsp/saml2error.jsp
  • Authentication debug log:amAuthSAML2:10/11/2021 11:22:07:474 AM CET: Thread[http-nio-8080-exec-1,5,main]: TransactionId[49fa5c97-841b-a433-41d5-42f76963c271-417578699] ERROR: SAML2Proxy: content length too large

You may also see the following message in the browser when this occurs:

HTTP Status 400 - Content length of the SOAP request is too long

Recent Changes

N/A

Causes

The content length of the SAML request exceeds the value set for the Maximum allowed content length property. The default value for this property is 20480 (bytes).

Solution

This issue can be resolved by increasing the value of the Maximum allowed content length property to a value that is greater than the one reported in the debug log. There is not a recommended value for this property; it is there to prevent exceptionally long requests being processed and you should set it to allow the expected length of requests in your environment. 

You can change this property as follows depending on whether you are using Identity Cloud or AM:

Identity Cloud

You can change this property by creating an ESV variable called global-saml-max-content-length. Set the value of this ESV to the maximum content size you are seeing in your testing. 

AM

You can change this property using either the AM admin UI, Amster or ssoadm:

  • AM admin UI: navigate to: Configure > Global Services > Common Federation Configuration > Maximum allowed content length and enter a new maximum content length value.
  • Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
    • Entity: CommonFederationConfiguration
    • Property: maxContentLength
  • ssoadm: enter the following command: $ ./ssoadm set-attr-defs -s sunFAMFederationCommon -t global -u [adminID] -f [passwordfile] -a MaxContentLength=[maxlength]replacing [adminID], [passwordfile] and [maxlength] with appropriate values.
Note

You must restart the web application container in which AM runs to apply these configuration changes.

See Also

SAML 2.0 federation in Identity Cloud

SAML 2.0 federation in AM

Common federation configuration

Introduction to ESVs

Related Training

N/A

Related Issue Tracker IDs

N/A
Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.