Environment
Access Manager 4.4
Access Manager 4.3
Access Gateway
Situation
When a user POSTs or submits data to a back end Application via the Access Gateway (AG), and that user does not have any authenticated session on IDP or AG, they will be redirected to login. During this redirect, the POST data is saved on the AG and will be replayed after the users credentials are validated successfully. It appears that the AG only saved 64kB worth of data as anything greater than this seems to be truncated to 64kB by the time the Web server gets the data.
The issue can be duplicated easily using the following steps:
- create a HTML form that submits data to an Access Gateway protected Resource
- making sure the form has over 64kb of data to POST, submit the form
- get redirected to IDP login page,and submit credentials
- verify that the data is POSTed to the web server but truncated to 64kb.
An Advanced Option on the AG exists to increase the size of the POST data, called NAGPostParkingSizeInKiloBytes and is documented at https://www.netiq.com/documentation/access-manager-44/admin/data/b3kjnio.html. Applying this failed.
The issue can be duplicated easily using the following steps:
- create a HTML form that submits data to an Access Gateway protected Resource
- making sure the form has over 64kb of data to POST, submit the form
- get redirected to IDP login page,and submit credentials
- verify that the data is POSTed to the web server but truncated to 64kb.
An Advanced Option on the AG exists to increase the size of the POST data, called NAGPostParkingSizeInKiloBytes and is documented at https://www.netiq.com/documentation/access-manager-44/admin/data/b3kjnio.html. Applying this failed.
Resolution
Make sure the above Advanced Option is set on the Proxy we are using, and not globally. In our case, we would submit data up to 500kb and added
NAGPostParkingSizeInKiloBytes 500
to the Proxy Advanced Option to fix issue.
NAGPostParkingSizeInKiloBytes 500
to the Proxy Advanced Option to fix issue.