locked
Maximum size for SAML token RRS feed

  • Question

  • I have AD FS 2.0 farm with one relying party using WS-Federation protocol and claim rules that creates large token. Claim rules are configured to fetch 26.000 claim values (i.e. claims) from SQL database: e.g. :

    <saml:Attribute AttributeName="NSN" AttributeNamespace="http://company.org/claims">
         <saml:AttributeValue>38243</saml:AttributeValue>
         <saml:AttributeValue>38378</saml:AttributeValue>
         <saml:AttributeValue>00449</saml:AttributeValue>
         <saml:AttributeValue>00551</saml:AttributeValue>
         <saml:AttributeValue>00530</saml:AttributeValue>
         ...

    AD FS can't create a token for this relying party, error I get is not very descriptive:

    Exception details:
    Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.InvalidOperationException: This message cannot support the operation because it has been written.
    Server stack trace:
       at System.ServiceModel.Channels.Message.WriteMessage(XmlDictionaryWriter writer)
       at System.ServiceModel.Channels.BufferedMessageWriter.WriteMessage(Message message, BufferManager bufferManager, Int32 initialOffset, Int32 maxSizeQuota)
       at System.ServiceModel.Channels.BinaryMessageEncoderFactory.BinaryMessageEncoder.WriteMessage(Message message, Int32 maxMessageSize, BufferManager bufferManager, Int32 messageOffset)
       at System.ServiceModel.Channels.FramingDuplexSessionChannel.EncodeMessage(Message message)
       at System.ServiceModel.Channels.FramingDuplexSessionChannel.OnSend(Message message, TimeSpan timeout)
       at System.ServiceModel.Channels.OutputChannel.Send(Message message, TimeSpan timeout)
       at System.ServiceModel.Dispatcher.DuplexChannelBinder.Request(Message message, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
       at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
    Exception rethrown at [0]:
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.ISamlProtocolContract.ProcessRequest(Message request)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequestWorker(Message request, Boolean firstTry)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequestWorker(Message request, Boolean firstTry)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.Issue(HttpSamlMessage httpSamlMessage, SecurityTokenElement onBehalfOf, String sessionState, String& newSessionState, String& authenticatingProvider)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SignIn(SecurityToken securityToken)
       at Microsoft.IdentityServer.Web.Dispatchers.CredentialDispatcher.DispatchInternal(SignInContext context)
       at Microsoft.IdentityServer.Web.PassiveProtocolHandler.ProcessRequestInternal(PassiveContext context)
       at Microsoft.IdentityServer.Web.PassiveProtocolHandler.ProcessRequest(HttpContext context)
    System.InvalidOperationException: This message cannot support the operation because it has been written.
    Server stack trace:
       at System.ServiceModel.Channels.Message.WriteMessage(XmlDictionaryWriter writer)
       at System.ServiceModel.Channels.BufferedMessageWriter.WriteMessage(Message message, BufferManager bufferManager, Int32 initialOffset, Int32 maxSizeQuota)
       at System.ServiceModel.Channels.BinaryMessageEncoderFactory.BinaryMessageEncoder.WriteMessage(Message message, Int32 maxMessageSize, BufferManager bufferManager, Int32 messageOffset)
       at System.ServiceModel.Channels.FramingDuplexSessionChannel.EncodeMessage(Message message)
       at System.ServiceModel.Channels.FramingDuplexSessionChannel.OnSend(Message message, TimeSpan timeout)
       at System.ServiceModel.Channels.OutputChannel.Send(Message message, TimeSpan timeout)
       at System.ServiceModel.Dispatcher.DuplexChannelBinder.Request(Message message, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
       at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    Exception rethrown at [0]:
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.ISamlProtocolContract.ProcessRequest(Message request)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequestWorker(Message request, Boolean firstTry)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequestWorker(Message request, Boolean firstTry)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.Issue(HttpSamlMessage httpSamlMessage, SecurityTokenElement onBehalfOf, String sessionState, String& newSessionState, String& authenticatingProvider)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)

    Does anyone know what is the maximum size for a SAML token in AD FS 2.0?

    Best regards,
    Bojan

    Wednesday, May 24, 2017 11:05 AM

Answers

  • 26,000 is way too large in terms of network traffic. Refer here.

    Also, it won't work with Safari.

    If this is SAML-P, try artifact resolution and you can then pass the large number via SOAP.

    • Marked as answer by Bojan Pasic Thursday, May 25, 2017 10:00 AM
    Wednesday, May 24, 2017 6:56 PM