Not a Grouper problem, but something people should be aware of. Going to certain pages is a redirect to the ajaxError page. It doesn't even hit grouper, it's an error at the ALB. What you will see is that there is an additional header:

server: awselb/2.0

 
If you see above header, the error is not coming from Grouper but from the ALB. There is a compounded problem, because the browser now wants to redirect to the ajaxError page, but has the wrong CSRF token. So all you see logged to the server is "error:Request Token does not match the Master Token". This is a rare error and not the normal CSRF problem people often see.

The AWS WAF (web application firewall) rule is

• Metric name: AWS-AWSManagedRulesAdminProtectionRuleSet
• URI: /grouper/grouperUi/app/UiV2Admin.subjectApiDiagnosticsSourceIdChanged?subjectApiSourceIdName=enterprise-users
• Rule inside rule group: AWS#AWSManagedRulesAdminProtectionRuleSet#AdminProtection_URIPATH
• Action: BLOCK

Description: Inspects for URI paths that are generally reserved for administration of a web server or application. Example patterns include sqlmanager.

There are no details about what patterns are blocked. But it does appear that URLs for /UiV2Admin.* are the only ones that trigger the error.