Unable to login with single sign-on after upgrading to Cloud Director 10.3.3
search cancel

Unable to login with single sign-on after upgrading to Cloud Director 10.3.3

book

Article ID: 325688

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

Symptoms:
  • Cloud Director has been upgraded to the 10.3.3 release.
  • Cloud Director has been configured to use a SAML or OIDC identity provider for authentication at the System and/or Tenant level.
  • Cloud Director has been configured to use a custom branding color using the portalColor option at the System and/or Tenant level with the branding API.
  • The cloudapi/branding and/or cloudapi/branding/tenant/{org} API show a custom portalColor value other than the default value, null:
"portalColor": "#333333",
  • Clicking the Sign In With Single Sign-On button on the Cloud Director login page fails to redirect to the associated identity provider, instead it redirects to the base Cloud Director login page.
  • Logging into the identity provider first and then opening Cloud Director after already authenticating is successful.
  • The browser console shows an error such as the following when attempting to log in to Cloud Director.
Chrome:
Uncaught TypeError: Cannot read properties of undefined (reading 'style')

Firefox:
Uncaught TypeError: document.getElementsByClassName(...)[0] is undefined
  • In /opt/vmware/vcloud-director/logs/vcloud-container-debug.log, there are errors of the form:
| SECURITY | pool-jetty-65             | SsoFilterUtils                 | No matching sso interaction cookie for org <OrgName>


Environment

VMware Cloud Director 10.x

Cause

This is a known issue in Cloud Director 10.3.3 with the Sign In With Single Sign-On button.
It occurs when a custom branding color is set using the portalColor option at the System and/or Tenant level with the branding API.

Resolution

This issue has been resolved in Cloud Director 10.3.3.1 which is available here for download.

Workaround:
In most instances logging into the Identity Provider first and then opening the Cloud Director UI will result in the user logging in successfully.

To workaround the issue when starting the login process from the Cloud Director UI, remove the customized color and set the portalColor parameter back to the default value, null.
This must be done for the System level branding as well as any individually customized Tenants.
This can be done via the branding API endpoints, details of which are available in the VMware Cloud Director OpenAPI - Branding documentation.

Example steps to perform this workaround would be as follows:

  1. Log into the Cloud Director Provider UI as a System Administrator.
  2. Open the API Explorer from the "?" menu in the top right of the Provider UI.
  3. Navigate to the branding section in the API Explorer page that opens.
  4. Click on the GET /branding Gets the system level branding option to expand it.
  5. Click the Try it out and then Execute buttons to perform the GET and copy the JSON Response body that is returned.
  6. Edit the JSON and change the portalColor field from a custom color to the default value, null:
    Custom color example:
    "portalColor": "#333333",
    
    
Default color:
    "portalColor": null,   
  1. In the API Explorer click on the PUT /branding Sets default branding option to expand it.
  2. Click the Try it out button and in the Example Value field paste the updated JSON body from step 6.
 
NOTE: the following JSON is for example purposes only, please use the JSON retrieved for the specific Cloud Director environment in step 6. above.
Example updated JSON:
{
  "portalName": "Example Cloud Director",
  "portalColor": null,
  "selectedTheme": {
    "themeType": "BUILT_IN",
    "name": "Default"
  },
  "customLinks": [
    {
      "name": "help",
      "menuItemType": "override",
      "url": null
    },
    {
      "name": "imprint",
      "menuItemType": "override",
      "url": null
    },
    {
      "name": "about",
      "menuItemType": "override",
      "url": null
    },
    {
      "name": "vmrc",
      "menuItemType": "override",
      "url": null
    }
  ]
}
  1. Click the Execute button to send and apply the updated JSON. The Server response should show a Code 200 result.
  2. Reload the main Cloud Director Provider UI and confirm that the color of the header at the top of the page changes from the custom color to the default "grey" scheme.
  3. Log out of Cloud Director and attempt to log in again using the Sign in with Single Sign On button. The log in should now redirect to the identity provider as expected.
  4. If there are individual Tenants that have separate custom colors for their branding then they must also be reverted to the default or their login will continue to fail. To resolve these use the GET /branding/tenant/{org} Gets org-specific branding and PUT /branding/tenant/{org} Sets org-specific branding options to also change these Tenants to use the default value, null. Use the individual Tenant's Organization Name in the org field.



Additional Information

Impact/Risks:
Removing the customized color and setting the portalColor parameter back to the default value, null, will result in the Cloud Director UI returning to the default color scheme.