400 Bad Request (Header Size) error when using Entra ID SSO for users from specific tenant

[o5231]

Which version of Duende IdentityServer are you using?
6.3.10

Which version of .NET are you using?
.NET 6.0

Describe the bug
Some users receive the following error when logging in via Entra ID SSO.

This does not occur consistently for all Entra ID SSO users, only specific tenants.

The URL when the error occurs is as follows:
https://--ID Server Hostname--/identity/connect/authorize?client_id=--App Name--&redirect_uri=https%3a%2f%2f**--App URL--%2f&response_mode=form_post&response_type=id_token&scope=openid+email+profile+roles&state=OpenIdConnect.AuthenticationProperties%3d--Omitted--&nonce=--Omitted--**&x-client-SKU=ID_NET&x-client-ver=1.0.40306.1554

To Reproduce

Scenario 1.
User from specific tenant accesses Application. Application redirects to ID Server.
User selects SSO login and is redirected to Entra ID.
User is redirected back to /identity/connect/ endpoint where above error occurs.

Scenario 2.
User from specific tenant is logged into Application.
User logs out from Application.
User is redirected back to /identity/connect/ endpoint where above error occurs.

Expected behavior

Scenario 1.
User sees a list of Entra ID accounts to log in with and is redirected successfully to the Application.

Scenario 2.
User is redirected back to ID Server login screen after successful logout.

Log output/exception with stacktrace

We do not see any further details in the available logs - we only see the screen with 400 Bad Request.

It seems the request does not reach the Application logs.

Additional context

We have attempted to increase header size limits via IIS config (at the IIS level, and ID Server site level).
If we can increase header size limits whilst any parallel investigation continues, that would be useful, as it would unblock the users with SSO login issues.

[maartenba]

(note: we're moving this issue to our new community discussions)

[RolandGuijt]

Can you please specify exactly what endpoint is redirected to and what header values are present? If the cookies are large, what are the names of the cookies?

[o5231]

Please refer to below screenshot to see the endpoint / error

[RolandGuijt]

Can you please also share other details like the cookies being send?

[o5231]

Hi, please see the Cookies below:

Identity.External=chunks-3; .AspNetCore.Antiforgery.0pzb19-uNhA=CfDJ8MlqJGkAOJ5GsjIiu8l3F6loLhJu32vnpihApsrz-C8W54LGC_reuEc_eYyUHrBMXqh-UGfkhC6tkbXtcUo3gL3By4lyPrtE4Gv1qvkrqVGHvuCT4USfYp-v3bAI5y91JqfHzMehHk5OzuBLvYzzMwA; Identity.ExternalC1=CfDJ8MlqJGkAOJ5GsjIiu8l3F6lXkFMayWlOIBqA3JsjeYryt3CvjknjZ8Nj3QrtzrBxSjoBPW7r1ud1kIGxSB3tPhZO5o5szJKBOEQ-fLnkHEw5O1vFIkAq_XPlHG6Uj9d7o1S8qaD3yh3hXW2cIf48X9h5QJnugYCyur4cQH5tw3ZCe18Dq2d9f84XxEeV-mRp-zUyqoKuq3SpA3oBfmSQrvb9I7wB_0PH1xhQQARi7NiiXu12IUPS37cd7ZF5_EqSGd3GRpT3YCM03LlG_wcxdiQHGjfrInp6Qlq33unt5g3ofrfg7VILL3vq4JFwMR_lREpBVbEBPMdKe1lVMdM4tZi--PgyFIRw4O6WHJGo0UQbWfvfv93UAawUTO02Ewxo2zHT41vxk8rkHe3owXVFQGvHYOBbpQ76g0CwJwRr6CJcRPQIGHBMAcOCXx0-DFnOR7vynd593WjnNNRSRsaZ6z-IUaNK4AsNoSDX2kLvnWn61wRZElrBMxgLYvHqMjqdNe48Ar-dMAV2DJisUE8s6PJ3xJCzy_Rn9h51XqkSn5AT8UkxhXK6I4AaV6mLU7A6IdQoPsAL6x7Er_RUIAN-iJzJiyie5fj3dmIQOaSnnTNC2ew7y6Hfg4zgbtwTYm5PAM536OgSzAWDqji2ORxRU64U7_IzC12jFJOwhCp-Jppe8rTbv6FFueq7EsI2XxnX8x6vTxacMda3ZiQLga1Dnxb5No7ou0-V7s09r3ijzthuegOkTmyM2JHwxarL6J-Dbj-Av_jtewX-XKTLwNv9CbUW14s6jAwvDml0mlL4lBC2TfQZGZqBks2AsNLLPrsRwDZJ3yJfTPwB1UKGgn7cFIri3xE2BFZcg_C9rirIGQmGSzJEEJu1lOZP6XZa7_y-l_0DhK3Az0Io2lYsm_ViyaVQTMMo20f7jlvgO7aEibJLF1U7Q8lpW7WlD3Z7TZIa8JWQ42zHQvJMtvevJWptf3QIRL62hzyMp2vbbWM2hx4NgCln1pSYn2FqRp7UDo8aa9HCtCfUITHm2_-uEbK5_lWIK2W8iAghvWlO5om_q6X3guvbAg4TO8AYgXMvgI-RR5sJ70EhTSWnV0dkY-zsItVLjUO6RV__BPAxuGkv-AshgJkxuvg2GEPj6F80jCFSl76q4DQdP_FOjavObxe4Bm713kmFfcWyUgjymjCPWxdDX3IMIbTgdl3l1OGHdEgvb41RxOHx_-iB63Flw_8EqvMVSp9pfIICMvPXYvJ7TnGtJQlv2aiNB0oWXRraI38bkc60oTfiNHpOskqAh-3R87xESNYXSwAKZ32bipVPPBp9Nn3_U0TnPHqeH3Zm6XgAonj-bWzyM5OE3C_lfhDIGytoUbW0gkfZh17OvIQ0savr4ba9UDq2I2vS4FsgLUndbi76AKMqU5g3WzyD35gkT_gI9d0xJCQgAnxziofzuJuRWX8d8Rq09Gxo6aE0JP_75VKwZns_jeSinNLVZJVE5Xj2cKlZL_zhl5fvxTaruEPpEaNPUOYJjMzmnGof0B7t3PzHzXPAGi-K7dIKht7MiUgzDLknluIaWoBB1C6u3rxdZSZokpF77JzLZlUkNMMyR4mWr5ALzd1DTlkPxD-XHjaNpBw9N7yvOzU7BarvmrsJB38Y4cXiAj-d3KCW6eI9Ixvg3UBr0tactvJo9URkkLPx4m2LxDnxANkng5j0irTAfW5T9_Hc-7rSPxYha55FFv2lb033QBiihb2mvYmMwMGz8gxS022dTPz3b6jB9qlSIs-nhbLF-wAak5jkdBWbTck2izJKGtd0Q1KZ6-cBHPX90x034oOqRNE1C0cHmxbcuj7lYfuZH0h-E7P4i6yfvVEdGLkaYjo2tih9wb5IOTqq8OOf9cdPRbUD-OFj72BSZ2OMqzjazs2cXFUpiPlqiF50GyVqE6rKlWpw7-Aro0qIz-Q58CykRdlm8i7QfAebJ08fh8XTBaOj80Lma_v7ukNqw2plO3CVeFfGVuC7u4y8rrTDTmWD0MsXdQ8kOFqj1FN_iFUa-sI-zW3llLdEnXLN7TwO3zqE3cYXHpAX_DORjopzBeFitK1-XF5H3kgjKRPaq9UesWMvddijAekp8uAH3eRjUDPxgJUQkpjrUNBDTLy1A3L5w6BNgm1MAqBMLnSWJaNY6cW9c_yYID1b5iVdEFIOagepzsS6nNnFAT7h16DDplEG0yfAmF2Xcn66ngXPWTY4WouGSp2nc9H70pIpqKxtJlavSbxrc5AsBKswbIRMIVULzezEDbN8T6-xqlZsoAHJOXOrgbsxDU7t3498yrN5cqo0FyWVRLumWmsiGSU4KjFPl7FcjT8dBv1NtpbOSp72D4oZspMT4ylZD1d0e2LeIgZOCWlk0wysXCTPV2KWECxtD3nB2gml_FYTShNfGmmkD5-EYI235nMGLgk-xmQQBPrI61YYl2UzmSob13APl5T8b67QMgIU63z9VFyO1Wdl25IL6M3VLCdyg9Y_aWaMWt_Z5RxuHyIfSsn7fyH4VgvUg3BKgMjDsqYIaAwUXh_5VvjvnlW_uiqtEmBsFshbvTClZPOYbbBtrFnOh8sWh4Og_PZ9BC4xGBslJWV-9APrZ8vaEThicXYG2cF3GFxnsOjfXQZ6Nrrkhady140dlLCAwuckG_5mGx4cMZkreqHkH-HSwuaLNLSqWFY5gAvF0tXwzDsnU1kY4L8f1O1B-AgpiPaiokX4mTqxmWE9ECuLMSlx-IbnycC2zk-Gz11YV4WyDHzHMPtKV3EATprXS_3cVZx5Y1CWpHSv6k8va900Axk4AUR6nd-HxgCeQ-m3g_cNdV6Pxxs7cE6Qu-YQc_V_M2zCZ0uGiXTBa0X-brzKbPV-trS-SW_VaKwxDHLGlQ4MKg0LPZb6794o5SKfG9C8Ib_cdR3vZhxUzFqY_VFn72zCeGSgjgZi0yC_E9XFLW2p9BIA7gsQB-7zqQ-MkK9EJfbHOj1xMittbGmMbmxmBXqu3HgFOj8gWq70rv3zQXl72PuOk2wyh2xQH6hEk5lxQOyknlDpEsQI3QkdVF3jnOmh5C2B38Js5sDx625gdTPsUCcM1mLKAnEeAJj0sgiUKfMIoKG6E7O85N_ZAYQzE8X9E1UQQSVqXW0mZoXV4dbMJ2q55u4_UHbK1cQivjCjo-ulEvbDgy440YMCW8NwmOmyNdlsrTLNLVyCrieTNrvQPZo3UvqfrKAlDWzR5EDdfvqNlT5Ea0UKajSZ9OfnDTJy7YqmoRW17HybL-dtPHy0PhCepWWxom56wVCcGnIdCRhUA2RDHdYzwwJoWhRljm2bVfI82nCCGqR67uJszWjP8RhZjDAhp6EaKmwAPKz8RBenIfAd_mR26vrUnX63RopfIESEmXXQuVmNqz6tRAFo2jWfcbo25tVeIrvRlYnXKPpu_sypQODHb9fkzZRxNnu291QnttedK44Xa_K-PQHQsYL60aaMRgPSI6ro2HfK9FqUAAOVGgNn9r_cfoaPD9lQyQIpItfdtCCbskWXh-u4ECHWhmgaJr3NUlcYjRhRfX1m_Eg3NwwH7OFEqKifJm8KO2QfIh_eah-id0Bb0wvg1xA_FSPLeCwNrSBpN6EVXtaFNCWJanicEotxFS1BQ85FIFWnR5X8rzdc696rDOXSV_EuiflC1shtCf8e8EFhp2IzFkIhVocFjBy72jStT709QsSIVKZAx4GmIN4eXi3G9BXkuosNbBU-Y0GayVOO86tEqFb6edvKZsEBf3OynRd01rkYuF761aaY7SHCLeUdPzGsBGFEfjGHjPkTCpmUCITohIh_PDhQl5aRB_pPZ7ZQSZY_sgOYEvGj_4inYGZqX-m7Cnhy8rJh13_vb9KxNEXU7hmB4oQxyJv28VDgnDS8Z6l-9J58pPVnAcDIw9PIg3wXHLOzprNMoOys2EQXCO8r9cUx378AiAGcJGzVZCMFz7ujlgWQzFnpdE3v; Identity.ExternalC2=aW55ubyXtpE4O2uqO4ZvE6okA9aNzNFHFYpDPYU6b0DatYB9xmUK--bqHUvNLozZtzPmfjSo9loCHBZ37pajhBV2vt-PJ63O_qF_KqTojlhkxjMkoqqx7otMNbrO0a7_taKG548Fy2GpeIfvBFtJUCnKZ1L9N32U5MYx7FqvnHGWOBOriC0_cnqkED7f1nHggniNvHi39bJziAAyb8Fi_w3MYyu8uLqb11kNoBuAyNU7imKrxcPQGarjrxynWmx_Rs0lVtzUYGi8EzbmlEqnTz7kk6yigtbXx7BYYGZfMIxbn4fEUMCkE_97nIZTa56WhVam19aq1xEaPRl5qGYYIfv3M2cTF8WwGZLpfZApEF52jSGFgUJDyLhycKfNtn21AhOYWbAF7OrGVYaVy_1diHlqlzDJ_H7_x1pO3ny8dD_iGifz_lkXVl7AGWcQOc4hakFtM7k7bj_pxSW-0nEjpJkonfGWwM_RXukzLmvqvD6_vx3alRP4GoWlQ9DTfIG-rvdHTrewXOluHjYTK51W-iRZgfKgWtz4WabCPI-kuW2oqW2b-l-lZZHPIS2cz7zFvWMPJLlN-rRqQbQkjS7sZtFebkZun2PQNvedlk5wz0d0CIeoDqO5YYKVonvUt-WxoB8i9fsLWjsNbWuUPymKX5yCnQO_oB3ofSBZa6-8n8A7egApn5ZMn_0uO5cODRNwt_LnIoNsopIyc0nEQAw9jr4jIdz1rnt9ADqZGWZh0OqQB7Ciz1U3cSYf7fHNFRQGXFolvn7Gk2Koc1hzd_1uUyc1-bSTHE6ypVRCu8eceMcQ2CriuPTAjxYNWp6kuEubxhD3vW6OwIUuAQ2u5HgHU46LLyLCjU0py-UGm1JQhw3Uv14hlA8RKPmdaLh7vAC9foTLf06D8H2S4G0RpbAr5zNbN43NkMLy7gVTbapOf9VnBNF6FE8TOLR85_Nt0vAN3ob3Vtvo-RCfIQWN9M-fZqd_cpC71l2rvAkEbbUKTdHNCXFxLDQZnvVY-rfEp32RbHGWb4xKOpGFS-80YdxiWeV5GUIT6LmlybWAE0oFensHeicjat7VpeCM8RdTlH05CRn6JI1UTq5BGspbo5UrVLTz0D0XYTrZzvdy3HgudwIE3oek_H55S9e-GLqT0kuEcsc08MKa91AKw5ep61FEUNGWq27v7e_x2FJ2TpLSDt2BKJSv2f3PKvympOkBJ3bNMJeYa_zYtAJt_aQW58bWBpSQmai1ksM8zKqN0BO3shmLLcJOHQ6S_ZIZzOM5cNDXedYBO8O4cmBGMJsXNvSkrOanxSeQBgGC6KZnfg1JKRPfs_OoVAmZv1I3UVe8HUgPaCerynqYnQIh5tU_Mz84QSYFb8fhcWumy2Tfqw2DUsnWqnxmrPKUc5kuD5bgEgNVCUhc9vFDPvFFQ49CHglxA5GbJy3dCbA5-C8bRfu0FAO48r1lz-GnqL-kLu7gzS2q8wJ8yE8biMk3GLlQuLmZWmZrQhfeyCVYP2lxEz4S4K0s2h6_7LjcHWLB48bgvSa3e1fBwsgoYTW3SUBajHalZlx5vE9yolbuRPqKyub3-cG4cM2DjjdB8BQWInH7l-vTpSxcwR9dQcscliZrZTpQn13Wjt5mJUshGgTPomrjctDc-yfV-mqdJWVq7VpvGnnI0FwTxvSN-iMdK-boDuwlyV7nH-U8o2k69JoCJZfiJgO2QiXCuT6efjQh8jwzLFPVXuHPe85_XcsYokh2t70vl-aRWmL_D0eT5eDgqiwEXYtwUgW2DVn6dDhm-kwi3BJX--6KZS2Wr4Nzgsr4yn-scKM77b-HHl5JZucq5gfr8AX4UxoozcYSy5on-vvc0b9jKaq3hs5X9iPGtYYVL007ZQ6CV58wdw8sjP7pmEh6zstgs3IGM3dXyAfkuKorMMyTtfcPBbVFrqtldCeHlFGXKJUL3V6KhmhVtF7Mm165tDsVRtDCF4F-Nvdw0MA-Rz80mTmjS8cunAqLCZiwzweOt7FZrRrFZOB_jRgHwgD0ggbGRgNt1PzqbjHPEs5t3yjtP_0riZrNJ0w3ORYr-UhGcZwncp75pRVJvH58K3Pces1UW_oqwkhk_ckMO-zLI9ws1lez9tKLWMQLHbySwQgN3CsznO40GTnyxvoB5KLYv4a1TByV2VUWurCmQG19pwRRXqq7_yvpigZqwBM_btBDZ0QdINY686CL-_chMxpDX4ZpCbQPFdHlNgc6t5yb2KvWcwH3AGuOs7RtrQGmq4xgsjZDo5IsxqHi-y3miN4zIcBCVqT88Yv00evX6iWSQOP0o2Kzo4y2AiccLB1QX3cQIqNB9rPYYDPBAfS8oFDLICS2NPnxR7TxRKxBhHsV_dOPCLJD75UWgs2YzYFl0dOsPe0LJw5lbdnT2LoJ5ktrMyzkdI5QnYhcfJ4k_fcDKTu1M-26INNfa25ryNIQsnq1A8o-ufMMarSKVJy-E0fD0NB4d_Hyj4wROJEejaqVychm-wlrQuBDoYrsLnknvAKzEBzHuW8Dsr9MyLRzAgYJXpF4CwHHQrnFI8z8W_4o6ssPimOLK7bqddqhYCTD3hgrx63PdEcXSFDhUNQOnrMFaNQNr2g_iTQcITpwBM3TW3F_46i0gkH4LaAMeue1fDkTZeWOYkkXcO8EnezklcOtsQo63xu681GldkmVrwLZOi-BQv-yC8gApwSxk-lwEL6PG8Xs8B4li0Og8GvbSuL34UZdw40o4r5UvJEihgQYVZl66smXJoBpbXuvKbM3j9btZMg9fHYcAYufkskVIu_32JgFesA2K05miiYA4UGYNCz1N7q3PHpjbHMhjnLSwUn_qdbHeH5upOF2k4-T8AycEqR1lz4TJI1uPGwgCkIp_qBd_H06BjX4BwzG1eaa5sJT_Y45eCVi9hrRNG004SPz_O6zLYsGluYt0VzTGsyOqhOOCxhdG_jL90gj6aTownueIh9YwXq9cpbMubuNuIZdeIpyYsWQgvfi0pRAUvsjxB2rHMBtq66z4E76hQvDASODiwilQNf22nb0MAbtXEQl2251b5132C2H1mXrnppOsvYWSisAoqwiX_iaKlYIguXkJbmnvmBIIzHFYvf3Rg1gNeMDNl4CBOpaD0LND3uIEHs9Gav6qkB-CI2LT5pNlt5AuG79vdSRSVsTr3vziB13Z7HqOAUzMjSsSzLpwno1EDYGRjk0YGEaZQWjL-OUUmsn_BwNCKOYZLc-zCSOxv62_Kf6H3M20ZVI3D3nMQfAVYdSGNdGDQO7bLJdsOy_aHi3Pr_e5WXikVdR67uE3zA2gyuhMaCd40KyxY2Wp2OsSUPBTteYENrAOWDok23XiyFJYiVY1nvtQXV3XbGOLltPlus9x-cyK1tI-EqbiAOFgTMV0XZpLdBqFu_ddEWZv3DF5NPDmkNk4bMWMBkQHyPjuqLMjgQ8iu8zR5heWurxWwz-dvYqU6ISAHfS_AZgG-B1-VAbXTa2kHmnKzflHk6MsVndnWsThPLU8F6T3XAg4K1ooENW5Cmtn9Q0kqBEPUesoyAOSnzOMApyy9dBG5MsGx_nuAZG14bfR08T2VffPwoiyyAVle2MjqXgsCrWf73N8S-ocjlZ3jwhgyNzERe0gqG8ouXdmOx0S6UsYiQ9sNhkabeCMauttFf_KmRN9JGoXM8E6pF5HlE9MPWH9Qo70A734d-bhMg-_HOVe8KKp2sFQa4GOLvbBbYDdu06oO5rCkt_DPKfYOwE5ETF5IaYOYcXSvVKzX0p1HTqBhvJ7SkMLa46qOpjyKiRR4wAgU4ePCuHMu7PrW1KVwbHd4zSQAWY21T5QrTInyktCdRS2PmUMBJHvcG4yMVzaZQ__k5ddEYd0_rv2WmUhxHLezZcGtIBvWQGnbPxadQFReJJdEuXei6gCyyPmSrZ7lgoPbkypeSKwK08Bh7PrhiwBS2MRSjgKL1bQyyXDK8nHFhCAaiq2YRxSto2wIUl; Identity.ExternalC3=q9fuPAKJNEGM7AVsoG5dIEnFcYzp-cOAeJA8sB28jYo69sgan6iOFgNuSj037qr7lqvFRG724E64TqqJtx79RXN-Prk6cTY0wfTBHi73eXbS0tNFAdyKz8VToV6JHqSSEZfZ6kHTPYLmO6Yk2zeqhomhQJw8rU4slvKa7fPHk0IqfElLc1Ek35vov-oGJNIpYlv9Jy8WBEKcwaDALhKINSPp7tJJhK1tMYi2dRDWMYBJ8PCh0rO58uiUlj0B0zVAtOIf2rU4m_FgqrXRBhn6DxIYfa9mlutSKwGo8ynfDWGhBH2I5xSWF2hhAXNgGaV_xOJXX3IMJJ8SdR2FpM-1NB0_1HTlqj8CAf8xDp16g1KQ2zTUEaauCMX0DmGUpZpjnfzRIWdWFSBaUnJtjUSRSi2HxKc7_qzkenzAk04tk_jAXXxMLGZNxY2KPzyNgNI1iEgiF9o8E5vrpkvFCx85xJhghQlVYvyewKmYuhbaV6B1wP4REA9sDpTXaG6zIAd5zdDcZKM0I6UYWJUDIDIH4AKzZXnkL8MbNXPpxUUDVpA02dGKfjbkFJv5FzHOGtzoi7gSL97D_UnYRRC17hJGgdzvYT-6oHSl-nrouqc-ChEJK3nlvN39p6kmzPNob-c_hmUnIvG-sBMkaeIu60aylIhcMC3WwlyuBdXDW1Z1IUmZ117EnQrmExdace6pV5EzmNYlhw6M2J1oTNt31Q3CLla-SrCQmBscKjDy3uc52IyEv_4sntRItTrhsRIYeBlgOlgQPtB90gantFjWJGe0ot5BTtKDMeUIJKRQQ4yRBDgJ9QRcD6iOqQmLlShy3CAwpWD051yCz23ihyOxCehrWsxADkGQ5l459GGtPPQMTK0jdbC41MoacXthbfmD61C_WkrgnHthRPwozPqfHclKnyVEqELdse0j2UogSEeub1WfekmckFFSXEPue_weLtekBSgEsHF7KXmHmRX9gD5JDdsjA66QnMWu5CiMxFs_qfeneJvS4caiJC4xFQFATyzuNEwsEUQ2NvMyrWFi_yuL7gv-botYRpGaIybxX8JtAOkiauGPAxNfdniWl-ndkIOgdkzunM8aKrWXC-K0AG5upPiBx00VG9-81aSQxlD8x4CVYd7TsAR30DNQqroo3Lq3T9A8iH-0OTYVrGjZ4qcOP8CTNCTYbjhoBdSIzuQmyQ6c-utveJbZAvOyW_oSPmyIzhEGwT73aXxmnyPad0RzvedpVVUrt6OSPdvY4uJ0IRsz4dLMpEkbJWEF5j0hXlSWcLwiVno6Vdv-p23hXMtIW06NHBQN0pkHOnIcKnBn9F09ficnJYmDZiCVxwCoH1qlLaDIyHb59RsqVp8cigKlSKoVVUrbuq6wKklsxYOOd3wtcnX2Z-4VPRCNRcVEki0w1jDE96wnvJqOHYLVUi1cGjeLf0SO1qDPkBnzC1DvARdupv2QqzPj_Gw63n8tw0Dm0EXYxaTs4C6w18Z-n3aYphodWQw7F4hxxuSxqmCMPZ2jcb6A3lEGhQ8-oFAEA8tDwIHO27KefB8basSVBrW4h77QNkrH9rS045p64CvKWwO7dRdD1E6OffNfZuNAFGWjAun3nDJhxOs48P75mS-PK4ErqnjW6FxC1KWsePsEhlIk1bt2u98wE19iGAk2qNU6T7Cb12NOo4-cEJ7jm1dnDAlOPwkLy3e2viBFhzlbfUOioMI5XtulzWq3HIRfhJ7ZO3F6NPb-_V1eqa5bjaWNaABUAPtcy09uyvQbrxO1X3HUmGxbtQzS99raZjwkfNVljJ05Ojy002GlOgJoGIeqwn1Hc6LOOafSOX85IKnpiDn9UmY2GOqbP5bzk9HCYF-mcA0SxtSHDaZrziYRQsPcYMQNhHLFV2Vyk8Pl3kz_iHGDKwEm5PPKXD_FV_hTHShkLP1tzTo3J8reD7MDomc_ceaGulb36hrxlcriYKxTGElHZL9Nt6BXRgvYNe2eT1qFdcoZtfoinG8qlK8xXUwQdzRp-gWDl92tvysYe5GP-fpQqzfqlXAGLQiOKE8LInkEJASea83p0dBzz_ePiagASJpqL6TZ4toQqzbIq1PELHQmzbSj33gN1ygypqTH_tJrH_UFvgr6Tg7vYKzy8-ifvcnZ1om9QVTXgqveZa9__8OZgEhaoIYSn7WO57zGZh2-0KlgLThFnJy3Qiy82k9TR-td_dZzLrzfPl6DBJIrAx-hPRUPMSbCru4wsuebeC9gfh4Fl1gzkG_7rsyIfkPSJMlMao2kGSroBlGQfeUY8tMsr-CwOdqT3HS9_Peed2PoNEhle7nIxavf32myYswOT8RtjB3HpMZHL5xt_LPw2h_O4wPKae8ejmDK3PkQ7bD_P0YtITOxIwj1B2suH3NCBmSGJjJ44Y0gKo6Z_6Bv8VEX1twicEaeGKQWWfN7-hc8zskKsXK1Dn48R7Zz-YE70pVWt_kyHBBZ03nUbsM-psyJfIwMP-1iVyTY_R5cHXOfaY89oragrKWW-mxf62mEYUx0E7K8NjggmpDyGGya8OD3ZFhk_sCVWfI2sk8_sn1ZL76Dh9nQp_DicXV52R5mLVw_siGaLZFFdRxzBrPG_zQx0iO3YXYJRKdvqq8N-jl5eN3ZcPWow7UoRNqlDUkUmsqMSIk3QoAIlo9wn0UoiFf_cBo_J8C5XZ-EPrWIXKQGJ6Bmzm2KLSUT1Z-zHAK4DH93b9tjhbNoxPTOOkSC2SZZawWb12Rl-6qd4GSS6zAFwoMwMj4_jpTeSDpQCDuilRu_6WPYhl1MpfiRR-KfzmksGzh_84rq6Y6Pf6a3eXMmtaYk7HEo2Nn56ARqqTGGalNHnNiauxw0KbxLKvcEzTNY-BurhvWj_D76hqyUXFs9AvuFcPSY43_ArGzuhpUu37GleHx9evfBfV4cXJmnK1IeyPY3WpcP1CGcFEq6dAQ_SA8zagdQYIIX4vItDUimuPZg9mdzd9QqPKX3mIYycBny0mt_8UitdKVqN1a0cooZt-Uf6-ZJUALPIDAW7A7wIZijYlmaRRuOQT_CsT1xoHIv7or69PEgWKKVUCKGhApz5erAH658fOfK4bffRe1t1WT0w2dr8MUS_COHEdYJH4kCVpwOnq3Gp-MZtGlfoUnKzubS-zwemDVEHgdR4OjALgG-e7mqkzhg9FLLzFTPV2ogOncQaekGsiKXFUhIPmZNaqDBXkrGIENKcBd5UPGmRj6IrPOd-TA3zXtgp4z7JAei7gFwh2vICJ9lftjqkUC5kdi99fpu4eO7dYe1lfZUcQ2oNMueTiIUvo1nI4ORZKsxMwKWSC2OFKC60pv02ao5zu52oeU_t1XKw5RlgZ0BgtkSqgJ7AWIxPT5y-Mh09ysNKg; idsrv.session=B1C475FA71D87C3F0B53CC3C38AC84A5; .AspNetCore.Identity.Application=CfDJ8MlqJGkAOJ5GsjIiu8l3F6mFG49Bfsr2dUcqAIbvIJaUkIEDFUp44pcCZqZLo3Ob7LJ1piL54bFozmhlJp8ifbZ4s5GLt96PHE6WNJcB_qi5r9INx5vJ6gYH9U579sMJc_RZCM57G9WTDiv98Pvu5hwb-3i31GS77z4GqOG9FMmhgZMwrAvrNat4NYzTG-Uf2wyRN2BCvc5ijyjAB-HK1OHEiCKFXvqaGlyWGB2WXocEuiibvlQOJb3GH-Od4HTygdJHijY4zvhgWDtaqg0LwOm5bmKYiyL-xgdhzCoY5EkvhicJ8Tl4iea915U42FYpwfNnuol5aCZKPxs9wKVuOYLopnAKAkb69MRxnG2WZ9KsEz9dBwNbvhuVdLn14Rc1jLxoOi4Td0AEn8-reEmvUGj02P_UptbvuUKyvWSANFn8_Kfkd-Cu1XcWTS8lNxDrQNQWimETAEILibaGhKPe9FN_SFDZ9L3bHtZw9oGDXWfkJq0eLHBX89zSD27iK7PURjG-RSnlgBu9uk5fioYSTwfXlgLedBTdXIqpeBxz7wEDPIHS8RSSnzwlT-tgVF8pm7y_tAUjKUaAu3C7N4sAnbJAjaAOawNbk8woHtHfncyFNm0Li4uS4Kf1b-5uj8aCHIckEP7FpTlLPkKC9rxvsJusQ9yZSaprQUXa0gWvVSY9lr3A4nNUk9kdPJbORDzmCKEmgDvMp11H9xHpck90l65QnxWRJP78hZI6VubJHs6xTncB8wLblvH5Jf8ctCldkqJz3ZVN1xvE5TKYQOIADeO7xZV4mLxHW-vtcF2p6rSFPUFMpP59NxMJvaeyUN5ZrsYqoE8Hzz6rVeysyRWCUq7JKYHaFuo5jpQjVZWAFYJ6B_S-5a7ThlBwdXr3-hXEtWEcxeSf9rXg2lRgtvR_ecHZWDdhQSihMCePZFnbfwYWPQQJR54iDNVSgm3V2KHc2KSqwv5zF_JKxgnIw28mS-rGsI-iLCN8Dln_k9qvmSb9_3uolLlxjDHfe0Nl9c_xFSAXfB64khF9tUVAcsuTpsXoRO_QD8B8miOey5LYhzYY1xZsLomD_EPSpQBXgock-lvHv-nkrVXgEnvJpI6YU7ZA-69bRyQkB8uyahJTy46fsuOqcD8qBdbIUmkTA0kzDXbz3NHHn9LEffPOMjiYMrlPWRoGnUQuz0kgZOAkQwNP8SFIGkCjeXGd3hW_nsQgZRQU9gpuyJAQyxeLnFUVvBgHD4hwJUqRH8mM2jmFkFbs4kKAfExn8KMAj26ZxP73a1RjWMozEm8xMvojbfxRY4csXRWZPxp7yvVnrrNRVqKZMIRmqw0vg9KYWOhhdasrL7BTezf-xXIBCGtYBEIiiU6YCeGqh13KA5N8tts_Dh3uSVF_F5pMWDbFVKNJKFvbBj451NXOCP76ivZFpTdvvT_jm8zORXno70cTHv1JqFrJNTJ9O-1x49G-UpBMivxQOt3HBXBGEPgM02eTgAxw7cGLZ_4VNYGWa30sdUJOSlxMmQezYTT4siSTADFJokBOUJzjrnP4oXnl78U6nLvudoCMbL30jgK_7WEMIMy2Sm7ZDJGqM7_ZS7KCg6ICXiCWMl1mA0W3WBIwbyd-hthjRHlBzRrmccgk7yxH6nez0AYSCPXJO1gdMEVJkAm9Tb92DbULsZS8JvHVWUlxujyFiRB60LgX47Ojh817w6aPVSkR9Gc708EklkUqWyeAb5fi2roNsu9afh-uD13DerZREDpwxteXxsLZGePcNyhT7ZrYJqlG_p9eOG6m-dsN_f6tr4hU7pjpHJx8tRBMITqfrdbxDQ8ggeIxAjVbnTPN4hhea_VEhjzSb1dWt6By47cIKopyQGufvYX6FsgDp3BB1UiOE8tlkIHLsCSH1T0l5C3pw_o9B2PJPT1kHIyVyqAtFStjnBBRhDxOMNnJ-5TPrtPYC0usutpUSBYYzb16Q9nuKEormfeVFOSgoFGdThSkefjISEcPHxRKUdiCOHjT39Qo1WVZyouHDw_FJr0naeLbX_eCLsBwMdTBgDNfN7qN11EhxECwC6KM8TasXRZTSqrFQUSni4_1y3ywiAh0cte2RoPYNNP6EqUJEofKtP42F9UW1FV0oSRNiTpehsEXPFd2YIUhGSzYObwk26GYUnTbSjDLV7rokQiOvshGRVsjcgSlmbfrFvEgjyGnL26FO5NadiWE4DSvdS_QhC_fIRB8_Anb4yIS8Nwb6_Kgnpq1Dcc0JZVyuTWKL_nNQwxcCWNAuvKU9RbQMnbhlq_JkSgo8tuPHmWZAEbl89OR1u5n2iBj18A3SjPV6_EyBJAJ3bKjt0rjA6n49B0y0U9h8pOLkNUXG-owq0I3FaftUGHEbZJlM2NDp8N6__74spdkACoqDdf_iAevgOF46ySVs9NZ_04AQQz39Q_FzHGqRxc_mmCoKwPRzK2XspaJd8PCqQOB7BA-FJYMtqYW1ymzGeuLMiroONemKgh6CTfwcyqrYKVo_5Jz--ZiPuTG_DBv6g-hZPNm9k8yX9XBHd3xa53x09GfLM6Lx2B36UOfgEvB6eDc6gTYEyJN4xeatFi3F6eiYfe0CjaQWz-dqT_RIxh3ks7QQP3W5xxe9DO2bU0FBHIS5_dtsGKJxy7tBy5cKy-qJFiyUOBm8YMmCrlGYpkoEycDVdMKcjpKey56DPqwF33Onz-iRRrXLGg82oWzurNWVO0pYn5H_KFvdFS1njXmrsWXO6LBoSJvusSVNn7G2ipbxGM4lBMbI2PF3Vrl3LDxE4NShlcBXbJo1n-qDUhKzbJnwnIRs_r7Qxvfkr2f-51Q50mRnpxdcK8hQEbY5cnMq7KWCaAOb1IR8WZm1gziVIJKGJj-CzIkvuuJaJ2e-uvK-efEmhXedEv7ml1GFEtK9cwGphsDRFqjf7HEhRMF-5010NcGSlGGopJ3cQJmSx-9rxHfMS-vTzYb0FDShDyCoeNoMNcm22MY6s1PN31U

[AndersAbel]

Thanks for the answer. The cookies are indeed large and that explains why this fails.

First, even though you are in the middle of a new sign in flow, there is also an existing previous session available (The .AspNetCore.Identity.Application) session. I would recommend to call SignOutAsync as part of the Challenge() method to logout of any existing session before initiating the new login.

Then the large external cookie can depend on a few things. If you have SaveTokens=true, the received tokens are stored in the cookies. If you do not need the tokens, I would suggest changing to SaveTokens=false. Note that Entra Id as far as I know doesn't use the id_token_hint parameter on logout so there is no need to store the tokens just because of logout.

Then if this only happens on a few users it is most likely caused by a large set of group memberships. Entra Id expands any transitive group memberships (groups being members of groups) and that is known to sometimes cause a large number of claims. One way to deal with that is to ask the customer to not include as many groups - maybe there is a setting on the Entra side to limit the groups to just the relevant?

One more tweak is to set the Open ID Connect Options property MapInboundClaims=false, that will change the claim names as stored in the cookie to shorter names which will reduce the cookie size.

Finally, if all those claims/groups are not needed, it's possible to clean up the principal before it is being saved in the cookie. This is done by implementing the OnTicketReceived event in the OpenID Connect config.

I understand that you are in Australia, so I guess this message will find you in the morning. I'm based in Europe and will look at this first thing tomorrow morning to be able to handle any follow up questions before it's too late in the evening for you.

[o5231]

Thank you for your suggestions, these have been applied in UAT and the results look promising.
We will deploy our updates into Prod and perform further checks.