In the horizon.log file, you see entries similar to:
2017-01-23 13:18:19,821 ERROR (tomcat-http--27) [VSPHERE.LOCAL;-;10.250.112.24;] com.vmware.horizon.service.controller.BaseController - Caught exception. com.tricipher.saas.exception.MyOneLoginFederationException: Unable to validate response against any IDP Status code response is 92000. at com.tricipher.saas.action.api.impl.AuthenticationServiceImpl.validateFederation(AuthenticationServiceImpl.java:1685) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:302) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) at com.sun.proxy.$Proxy290.validateFederation(Unknown Source) at com.vmware.horizon.service.controller.auth.LoginController.doFederationResponse(LoginController.java:1337)
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
This issue occurs if there is a misalignment of the Identity Provider value specified in the directory with connector configuration.
To confirm this:
Log in to the vRealize Automation UI with a local administrator account and navigate to Administration > Directories.
Open the directory that is failing and record the value listed for Identity Providers.
Open an SSH session to the vRealize Automation appliance and log in using root credentials.
Navigate to /usr/local/horizon/conf/states/<tenantID>/<connectorID>/config-state.json
Note: Replace <tenantID> with the tenant name, <connectorID> with the connector ID number. If you have a simple installation with one VA and one connector, this ID is 3001.
Look for the section in the file labeled idp and look for the nested name field, this should be the same name that you see in the UI.
Resolution
To resolve this issue, recreate the directory which deletes the incorrect identity provider in the connector's configuration and create a new identity provider to coincide with the newly created directory.
Take a backup or snapshot of the vRealize Automation appliance (s).
Record the settings in the directory.
In the vRealize Automation UI, go to Administration > Directories, select the directory and click Delete.
Add a new directory using the settings recorded in step# 2.
Additional Information
You may also run into this issue if you recently performed the actions in KB2145438.