"Invalid issuer" error when implementing Azure OIDC authentication on Ops Manager version 3.0.21+
search cancel

"Invalid issuer" error when implementing Azure OIDC authentication on Ops Manager version 3.0.21+

book

Article ID: 293853

calendar_today

Updated On:

Products

Operations Manager

Issue/Introduction

Prerequisites:

The Problem:
This KB article goes over a specific issue that occurs when trying to implement OIDC authentication on a version of Ops Manager greater than 3.0.21

Symptom of problem: You implement OIDC authentication on Ops Manager, however, when you browse to the Ops Manager Web UI URL, you are met with this error message: 

Error: There was an error when authenticating against the external identity provider: Invalid issuer (https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/v2.0) for token did not match expected: https://login.microsoftonline.com


 

 

Environment

Product Version: 2.10

Resolution

Resolution
The resolution for this issue lies in 2 steps: 

  • 1. Upgrade to a version of Ops Manager greater than or at 3.0.24

If you have upgraded to Ops Manager 3.0.24 and have authenticated via OIDC by browsing to the Ops Manager dashboard URL, but see an error message similar to below, then you may have to implement step 2 of the resolution. If you do not see the error message below, then you do not have to move forward with implementing step 2. 

"You do not have sufficient privileges to view this page. Please contact your administrator and ask them to assign you the appropriate privileges.

You might try to log out of UAA and log in again. "


  • 2. Assign the OIDC application in Azure an App role or confirm that the App role name both match in the Azure console and in the Ops Manager OIDC settings dashboard. 

The error in the screenshot above could occur due to the OIDC application in Azure missing an app role or the name of the app role provided in the Ops Manager OIDC settings dashboard is not correct or doesn't match the app role name created in the Azure console.

We can add an app role by following these steps below: 

STEP 1
Navigate to the App Registrations page in Azure console and select your OIDC application: 



STEP 2
Go to the "App Roles" section of the OIDC application:



STEP 3
Create an App role: 

 

STEP 4
Go back to the App role page, and click the "How do I assign App roles" link: 


STEP 5
Click the "Enterprise Applications" tab


STEP 6
Click the "Assign users and groups" link: 


STEP 7
Assign the app role we created in step 3 to the user that you are using to sign into Azure / account that is tied to your OIDC application. Select that user, and select the app role, and click "select" to apply the role to the user: 

STEP 7A
  • Select the desired user: 

STEP 7B
  • Select the desired group. In our case, we will select the group we created in Step 3
STEP 7C
  • Choose the role we created in Step 3:


 
STEP 7D
  • Assign the app role to the desired user:



STEP 8
Confirm that the app role you've created in step 3 is assigned to your desired user: 


STEP 9
Navigate back to the Operations Manager Web UI, and update the Operations Manager Web UI settings for OIDC authentication: 



STEP 10
Update the OIDC settings with our new app role: 


STEP 11
To confirm that OIDC authentication is working properly on the Ops Manager, copy the Ops Manager URL without any forward slashes (/) and navigate to it in your browser. You may or may not be prompted a decryption passphrase. If you are, enter the decryption passphrase and click enter to proceed forward. 

Eventually, you should see a loading screen like this: 


If OIDC authentication is successful, you should see a page where you can see your downloaded tiles: 

NOTE: If you encounter a separate error and are locked out of Ops Manager, you can enable rescue mode as shown in this separate KB article: https://knowledge.broadcom.com/external/article/293468/how-to-put-ops-manager-into-rescue-mode.html



Powered by Wolken Software