• Cloud Director (VCD) is configured to use Microsoft Entra ID as a OIDC identity provider.
• OIDC groups from the identity provider have been imported into VCD.
• Attempting to log into VCD using the Sign in with OIDC option fails when logging in as a user in the imported group.
• Importing the OIDC user directly into VCD allows Sign in with OIDC option to succeed.
• The /opt/vmware/vcloud-director/logs/vcloud-container-debug.log on the Cloud Director Cells state that the log in failed as the user is not part of any groups:

| DEBUG    | pool-jetty-#             | OrgMemberProvider              | Neither user <SUBJECT> nor any of the groups [] of type OAUTH are imported to org <ORG_ID>
| WARN     | pool-jetty-#             | OAuthAuthenticationSuccessHandler | Error logging in <USER_ID>

This issue occurs when Cloud Director cannot obtain the groups claim from the Identity Provider through the UserInfo endpoint as the groups claim is available through the ID Token.

To allow Cloud Director to combine the claims from both the UserInfo endpoint and the ID Token, enable the Prefer ID Token toggle in the OIDC configuration in the Cloud Director portal.

For more details on this setting please see the Cloud Director documentation on Configure Your System to Use an OpenID Connect Identity Provider Using Your VMware Cloud Director Service Provider Admin Portal and Configure Your System to Use an OpenID Connect Identity Provider Using Your VMware Cloud Director Tenant Portal.