Maximum size for SAML token

• Question

• 

  

  0

  Sign in to vote

  I have AD FS 2.0 farm with one relying party using WS-Federation protocol and claim rules that creates large token. Claim rules are configured to fetch 26.000 claim values (i.e. claims) from SQL database: e.g. :

  <saml:Attribute AttributeName="NSN" AttributeNamespace="http://company.org/claims">
       <saml:AttributeValue>38243</saml:AttributeValue>
       <saml:AttributeValue>38378</saml:AttributeValue>
       <saml:AttributeValue>00449</saml:AttributeValue>
       <saml:AttributeValue>00551</saml:AttributeValue>
       <saml:AttributeValue>00530</saml:AttributeValue>
       ...

  AD FS can't create a token for this relying party, error I get is not very descriptive:

  Exception details:
  Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.InvalidOperationException: This message cannot support the operation because it has been written.

  Server stack trace:
     at System.ServiceModel.Channels.Message.WriteMessage(XmlDictionaryWriter writer)
     at System.ServiceModel.Channels.BufferedMessageWriter.WriteMessage(Message message, BufferManager bufferManager, Int32 initialOffset, Int32 maxSizeQuota)
     at System.ServiceModel.Channels.BinaryMessageEncoderFactory.BinaryMessageEncoder.WriteMessage(Message message, Int32 maxMessageSize, BufferManager bufferManager, Int32 messageOffset)
     at System.ServiceModel.Channels.FramingDuplexSessionChannel.EncodeMessage(Message message)
     at System.ServiceModel.Channels.FramingDuplexSessionChannel.OnSend(Message message, TimeSpan timeout)
     at System.ServiceModel.Channels.OutputChannel.Send(Message message, TimeSpan timeout)
     at System.ServiceModel.Dispatcher.DuplexChannelBinder.Request(Message message, TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

  Exception rethrown at [0]:
     at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
     at Microsoft.IdentityServer.Protocols.Saml.Contract.ISamlProtocolContract.ProcessRequest(Message request)
     at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequestWorker(Message request, Boolean firstTry)
     at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequestWorker(Message request, Boolean firstTry)
     at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
     at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
     at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
     at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.Issue(HttpSamlMessage httpSamlMessage, SecurityTokenElement onBehalfOf, String sessionState, String& newSessionState, String& authenticatingProvider)
     at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)
     --- End of inner exception stack trace ---
     at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)
     at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)
     at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SignIn(SecurityToken securityToken)
     at Microsoft.IdentityServer.Web.Dispatchers.CredentialDispatcher.DispatchInternal(SignInContext context)
     at Microsoft.IdentityServer.Web.PassiveProtocolHandler.ProcessRequestInternal(PassiveContext context)
     at Microsoft.IdentityServer.Web.PassiveProtocolHandler.ProcessRequest(HttpContext context)

  System.InvalidOperationException: This message cannot support the operation because it has been written.

  Server stack trace:
     at System.ServiceModel.Channels.Message.WriteMessage(XmlDictionaryWriter writer)
     at System.ServiceModel.Channels.BufferedMessageWriter.WriteMessage(Message message, BufferManager bufferManager, Int32 initialOffset, Int32 maxSizeQuota)
     at System.ServiceModel.Channels.BinaryMessageEncoderFactory.BinaryMessageEncoder.WriteMessage(Message message, Int32 maxMessageSize, BufferManager bufferManager, Int32 messageOffset)
     at System.ServiceModel.Channels.FramingDuplexSessionChannel.EncodeMessage(Message message)
     at System.ServiceModel.Channels.FramingDuplexSessionChannel.OnSend(Message message, TimeSpan timeout)
     at System.ServiceModel.Channels.OutputChannel.Send(Message message, TimeSpan timeout)
     at System.ServiceModel.Dispatcher.DuplexChannelBinder.Request(Message message, TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

  Exception rethrown at [0]:
     at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
     at Microsoft.IdentityServer.Protocols.Saml.Contract.ISamlProtocolContract.ProcessRequest(Message request)
     at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequestWorker(Message request, Boolean firstTry)
     at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequestWorker(Message request, Boolean firstTry)
     at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
     at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
     at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
     at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.Issue(HttpSamlMessage httpSamlMessage, SecurityTokenElement onBehalfOf, String sessionState, String& newSessionState, String& authenticatingProvider)
     at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)

  Does anyone know what is the maximum size for a SAML token in AD FS 2.0?

  Best regards,
  Bojan

  Wednesday, May 24, 2017 11:05 AM