When a user is a member of multiple security groups in Azure Active Directory (AD), an authentication attempt using the Azure AD subprovider might fail with the following error:
Bad Request - Request Too Long
HTTP Error: 400: The size of the request headers is too long.
Consider one of the following options:
- Decrease the number of Azure AD security groups that some of your users are in (the limit for the cookies is around 32KB).
- Switch the Azure app from using Security Groups to Groups assigned to the application to return only specific AD groups that are whitelisted as described here: Add group claims to tokens for SAML applications using SSO configuration.
- Write your own module plugin for integrating Azure AD into the Sitecore Identity Server to filter out unnecessary security groups.
To address the issue, proceed as follows:
- Apply the fix suggested in the following configuration sample to your Sitecore Identity Server and to all the loadbalancer/gateway/network infrastructure you put in place in front of the Identity Server:
<system.web>
.....
<httpRuntime maxRequestLength="2097152" />
</system.web>
- Modify the registry values as described in the article: HTTP 400 Bad Request (Request Header too long) responses to HTTP requests.
- Restart the server that hosts the Identity Server.
In case of Azure deployment, the registry values are not accessible (Write-access to the registry is blocked, which makes it an Azure limitation). To resolve this Azure limitation, move your Identity Server from App Service to a Windows Server Virtual Machine where you have access to those registry keys.