Failed to refresh public api access token using refresh token: Encountered error trying to refresh public api access token using refresh token: Cannot read property 'id' of undefined"
search cancel

Failed to refresh public api access token using refresh token: Encountered error trying to refresh public api access token using refresh token: Cannot read property 'id' of undefined"

book

Article ID: 316020

calendar_today

Updated On: 04-02-2025

Products

VMware Cloud Foundation

Issue/Introduction

Encounter the below error when trying to update SDDC,
 

Retrieving all scheduled and in-progress bundles failed. Unable to retrieve aggregated LCM bundles: Encountered error requesting http://127.0.0.1/v1/upgrades api - Encountered error requesting http://127.0.0.1/v1/upgrades api - Encountered error trying to refresh public api access token using refresh token: Cannot read property 'id' of undefined

/var/log/vmware/vcf/commonsvcs/vcf-commonsvcs.log

======================================================================================
2022-07-12T14:36:03.938+0000 ERROR [common,9b73587bba4741e8,38a7] [c.v.e.s.i.s.services.PscServiceImpl,http-nio-127.0.0.1-7100-exec-3] Unable to fetch user & groups from saml token
java.lang.RuntimeException: The SAML token signature validation failed!
        at com.vmware.evo.sddc.identity.sso.services.PscServiceImpl.validateSamlToken(PscServiceImpl.java:481)
        at com.vmware.evo.sddc.identity.sso.services.PscServiceImpl.getSamlMetaData(PscServiceImpl.java:440)
        at com.vmware.evo.sddc.identity.services.IdentityServiceImpl.getTokenPair(IdentityServiceImpl.java:115)
        at com.vmware.evo.sddc.identity.rest.api.controller.v1.TokenController.createToken(TokenController.java:72)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

 

Environment

VMware Cloud Foundation 4.x

Cause

Multiple STS certificates in the vCenter's SSO domain. The additional STS certificate is generally from a linked Cloud vCenter. VCF uses the last certificate to validate the SAML token. So when VCF goes to validate the SAML token it encounters an un trusted STS certificate which causes the error in SDDC.

Refer to the following KB to check the existing STS certs:

Checking Expiration of STS Certificate on vCenter Servers

Resolution

This issue is resolved in SDDC 4.5

Workaround:
  1. Login to VCF Putty using vcf user. Switch user to root
  2. Take a backup of the features.properties file.
    • cp /opt/vmware/vcf/commonsvcs/conf/feature.properties root/feature.properties.bak
  3. Edit the file
    • vi /opt/vmware/vcf/commonsvcs/conf/feature.properties
  4. Edit/Add the flag to disable SAML validation:
    • feature.vcf.public.api.security.saml.validate=false