Login fails with error 500 returned from VMware Identity Manager
Article ID: 321814
Updated On:
Products
VMware Integrated OpenStack
Issue/Introduction
- When attempting to login to a previously working VMware Integrated OpenStack integration with VMware Identity Manager an error 500 is returned with the following error:
{"error": {"message": "Group <group name> returned by mapping idp_mapping was not found in the backend. (Disable insecure_debug mode to suppress these details.)", "code": 500, "title": "Internal Server Error"}}- This error will either appear in the UI or it will be in keystone logs.
Environment
7.x
Cause
The user that is attempting to login is joined to a group that does not exist in OpenStack. Keystone federation with VMware Identity Manager is done with a specific set of groups. If Identity Manager is returning the user as a member of a group that doesn't exist in the Keystone database we will run into this issue.
Resolution
To resolve this you must create the group by CLI or API for the impacted users to login with openstack group create <group name>
Workaround:
There is a second option: the group that does not exist in the OpenStack Keystone database can be deleted in VMware Identity Manager. This will allow users to login correctly to VMware Integrated OpenStack as a member of the group configured for Keystone federation.
Additional Information
Full documentation on OpenStack commands to administrate groups are here.
Feedback
Yes
No
Powered by
