Technical Tip: How to Troubleshoot authentication issues on SWG Using Azure as IdP error 'AADSTS90015: Requested query string is too long.'

arleniscg · ‎09-25-2024

Description

This article describes the process of troubleshooting authentication issues on SWG Using Azure as IdP where the users enable proxy and try to navigate to the internet, then users are redirected to the SAML authentication page and enter in a looping, the authentication page always requests the e-mail to log-in until showing the message: 'AADSTS90015: Requested query string is too long.'

Scope

FortiSASE, ldp Azure.

Solution

Step 1: Install the add-on extension SAML-tracer on the Chrome browser and capture logs when replicating the issue:

On the browser, after multiple tries after providing the user/password, it will show: 'AADSTS90015: Requested query string is too long.'.

On SAML-tracer logs will show multiple SAML tries with referrer-policy: strict-origin-when-cross-origin message, then a redirection of the authentication.

WS-Fed is a sign-in protocol, which means that when trying the application to gain access to redirect to the ADFS server, it has to be done in a specific way (WS-Fed) for the process to continue. The server that will provide the access will be the one on the Azure side and not the ADFS server. Workaround in this case will be:

Configure the exclusion manual on the user's browser.

Customize the PAC file.

function FindProxyForURL(url, host) {
if (dnsDomainIs (host, adfs.demo)
{
return "DIRECT";
}
return \"PROXY turbo-rtetmtpm.edge.prod.fortisase.com:9443; DIRECT\"; }

The options for Hosting the Custom PAC file: On a web server.
Send by GPO the exclusion on the browser.