When a user is a member of multiple security groups in the Azure AD, the authentication attempt using the Azure AD subprovider might fail with the following error:
Bad Request - Request Too Long
HTTP Error: 400: The size of the request headers is too long.
Consider one of the following options:
- Decrease the number of Azure AD security groups some of your users are in (the limit for the cookies is around 32KB).
- Switch the Azure app from using Security Groups to Groups assigned to the application to return only specific AD groups that are whitelisted as described in the article: Add group claims to tokens for SAML applications using SSO configuration.
- Write your own module plugin for integrating Azure AD in the Sitecore Identity Server to filter out unnecessary security groups.
To address the issue proceed as follows:
- Apply the fixes suggested in the following configuration sample to your Sitecore Identity Server and to all the loadbalancer/gateway/network infrastructure you put in place in front of the Identity Server:
<system.web>
.....
<httpRuntime maxRequestLength="2097152" />
</system.web>
- Modify registry values, as described in HTTP 400 Bad Request (Request Header too long) responses to HTTP requests.
- Restart the server hosting the Identity Server.
In the case of Azure deployment, the registry values are not accessible (Write-access to the registry is blocked, which makes it an Azure limitation). To resolve this Azure limitation, move your Identity Server from the App Service to a Windows Server Virtual Machine where you have access to those registry keys.