Could not create indirect identity provider: Identity provider with ID <Provider ID>
search cancel

Could not create indirect identity provider: Identity provider with ID <Provider ID>

book

Article ID: 370574

calendar_today

Updated On:

Products

VMware vCenter Server 8.0

Issue/Introduction

  • After removing the PingFederate (or other) IdP (changed back to embedded SSO), attempted to re-add PingFederate and received error on “Review” (finish) page of “Could not create indirect identity provider”.

  • Configuring External Identity Provider on vCenter Server fails with error "already exists for tenant <tenant_name>".

  • vSphere Client will show below error message:

    Could not create indirect identity provider: Identity provider with ID ##-##-##-##-## and name <Identity Provider Type Name> already exists for tenant <tenant name>

    Failed to delete usergroup directory with ID ##-##-##-##-## for tenant customer on host <vCenter_FQDN>

  • This KB can be followed to to clean-up stale Identity Provider Configuration such as "Okta", "Microsoft Entra ID", "PingFederate", etc. on vCenter Server.

 

In the /var/log/vmware/trustmanagement-svcs:

 

2026-05-28T16:18:13.683Z [tomcat-exec-2 [] INFO com.vmware.vcenter.trustmanagement.authbroker.BrokerClient opId=] API request GET_USER_GROUP_DIRECTORY to url http://localhost:1080/external-vecs/http1/<vcsa_FQDN>/443/usergroup/t/customer/broker/directories/8c34####6313b returned unexpected response code 404 and the following error information: {"errors":[{"code":"directory.not.found","message":"Directory not found with id: 8c34####6313b","parameters"

:{"directoryId":"8c34####6313b"}}]}

2026-05-28T16:18:13.683Z [tomcat-exec-2 [] WARN com.vmware.vcenter.trustmanagement.authbroker.BrokerClient opId=] Directory with ID 8c34####6313b not found

2026-05-28T16:18:13.683Z [tomcat-exec-2 [] ERROR com.vmware.vcenter.trustmanagement.vapi.impl.AuthBrokerPr

ovidersProviderImpl opId=] Error getting Auth broker identity provider: Auth broker directory with ID 8c34####6313b could not be found in tenant CUSTOMER

com.vmware.vcenter.trustmanagement.impl.NotFoundException: Auth broker directory with ID 8c34####6313b could not be found in tenant CUSTOMER

 

In federation-service.log:

 

2026-05-28T16:18:12,854 INFO <vcsa_FQDN>:federation (ForkJoinPool-2-worker-103) [CUSTOMER;55c68####678e;-;-] com.vmware.vidm.federation.cds.AbstractConfigProvider - Service vidm config item orgContentSecurityPolicyParams does not exist in CDS

2026-05-28T16:18:13,629 WARN <vcsa_FQDN>:federation (vert.x-eventloop-thread-1) [-;-;-;-;-;-] com.vmware.vidm.common.validations.validator.impl.HttpHeaderValidatorImpl - [ValidationFailure] Header validation failed for host, value: SERR###NDM=

 

In the vc-ws1a-broker/token-service.log:

 

2026-05-28T16:19:59,262 WARN <vcsa_FQDN>:token (vert.x-eventloop-thread-1) [;;;;] com.vmware.vidm.token.ServerVerticle$RequestBodyHandler - [Missing Validator] No validator found for header: [content-length]

2026-05-28T16:19:59,284 WARN HDQNCDEVVC01.mihdq.marrcorp.marriott.com:token (vert.x-eventloop-thread-1) [;;;;] com.vmware.vidm.token.ServerVerticle$RequestBodyHandler - [Missing Validator] No validator found for header: [content-length]

Cause

This issue is observed due to stale identity provider configuration on vCenter Server can generally happen while recreating the Identity Provider after switching back from External Identity Provider to Embedded SSO.

Resolution

To resolve this issue, delete the stale identity provider configuration by following the below steps:

Important: Before troubleshooting, take backup of the vCenter appliance. If the vCenter are in linked mode, take offline snapshot of all the vCenter Servers that are in the linked mode. Refer: Enhanced Linked Mode pre-changes snapshot best practice

  1. Login to vCenter Server using SSH (eg. Putty).

  2. Login to RestAPI to get a VC Session ID:

    curl -k --request POST --url https://<vCenter_FQDN>/rest/com/vmware/cis/session -u '[email protected]:<Admin Password>'

    Note: Replace the username <[email protected]> and password <Admin Password> based on the environment.

  3. List the Authbroker IDPs and note down the UUID:

    curl -k --location --request GET 'https://<vCenter_FQDN>/api/vcenter/identity/authbrokeridp' --header 'vmware-api-session-id: <SESSION ID>'

    Note: Replace <SESSION ID> with the id from Step 2

    Sample Response:

    {
      "summary_list": [
        {
          "idp": "#####-####-####-####-#######",  --------------> IDP UUID
          "name": "Azure AD",
          "tenant_type": "CUSTOMER",
          "activation_state": "PRIMARY_ACTIVE",
          "primary_broker_discovery_endpoint": "https://<fqdn>:443/acs/t/customer/.well-known/openid-configuration"

        }
      ]
    }

  4. Delete the each Identity Provider object returned by Step 3:

    curl -k --request DELETE 'https://<vCenter_FQDN>/api/vcenter/identity/authbrokeridp/<IDP UUID>' --header 'vmware-api-session-id: <SESSION ID>'

    Note: Replace <IDP UUID> with the ID from Step 3 and <SESSION ID> with the session id from Step 2.

  5. List the Authbroker IDPs again to verify all the objects are cleaned-up:

    curl -k --location --request GET 'https://<vCenter_FQDN>/api/vcenter/identity/authbrokeridp' --header 'vmware-api-session-id: <SESSION ID>'

    Note: Replace <SESSION ID> with the id from Step 2

  6. Doing above steps will clean-up everything including the VIDB objects. Perform below steps to clean-up the relevant objects in SSO, if it exists.

  7. List the VC Identity Providers:

    curl -k --request GET 'https://<vCenter_FQDN>/rest/vcenter/identity/providers' --header 'vmware-api-session-id: <SESSION ID>'

  8. If the response is not empty, call DELETE on each of the provider objects returned using below command:

    curl -k --request DELETE 'https://<vCenter_FQDN>/rest/vcenter/identity/providers/<Provider ID>' --header 'vmware-api-session-id: <SESSION ID>'

    Note: Replace <Provider ID> with the Provider ID returned by Step 7.

  9. Do a Identity Provider LIST again and verify all objects are deleted:

    curl -k --request GET 'https://<vCenter_FQDN>/rest/vcenter/identity/providers' --header 'vmware-api-session-id: <SESSION ID>'

  10. To clean-up the VIDB objects, get an access token by calling below API:

    curl -k --location --request GET 'https://<vCenter_FQDN>/api/vcenter/identity/broker/tenants/CUSTOMER/admin-client' --header 'vmware-api-session-id: <SESSION ID>'

  11. List VIDB Directories to obtain Directory ID:

    curl -kv --request GET 'https://<vCenter_FQDN>/usergroup/t/CUSTOMER/broker/directories' --header 'Authorization: Bearer <ACCESS TOKEN>' | jq

    Note: Replace <ACCESS TOKEN> using the token from Step 10.

    Sample Response:

    {
      "items": [
        {
          "_links": {},
          "id": "<Directory ID>",
          "name": "azure_dir",
          "domains": [
            "<domain name>"
          ],
          "source": "AZURE",
          "type": "PROVISIONED",
          "delete_in_progress": false
        }
      ],
      "_links": {}
    }

  12. Perform DELETE on each of the returned directories:

    curl -kv --request DELETE 'https://<vCenter_FQDN>/usergroup/t/CUSTOMER/broker/directories/<Directory ID from Step 11>' --header 'Authorization: Bearer <ACCESS TOKEN>'

  13. List the directories again and verify all objects are deleted:

    curl -kv --request GET 'https://<vCenter_FQDN>/usergroup/t/CUSTOMER/broker/directories' --header 'Authorization: Bearer <ACCESS TOKEN>' | jq

    Note: Replace <ACCESS TOKEN> using the token from Step 10.

  14. List VIDB Identity Provider to obtain Identity Provider ID:

    curl -kv --location --request GET 'https://<vCenter_FQDN>/federation/t/CUSTOMER/broker/identity-providers' --header 'Authorization: Bearer <Access Token>' | jq

    Sample Response :

    {
      "items": [
        {
          "_links": {},
          "id": "<Identity Provider ID>",
          "idp_name": "Azure",
          "idp_type": "OIDC",
          "directory_ids": []
        }
      ],
      "_links": {}
    }

  15. Perform DELETE on each of the returned directories:

    curl -kv --location --request DELETE 'https://<vCenter_FQDN>/federation/t/CUSTOMER/broker/identity-providers/<Identity Provider ID from Step 14>' --header 'Authorization: Bearer <ACCESS TOKEN>'

  16. List the VIDB Identity Providers and verify all objects are deleted:

    curl -kv --location --request GET 'https://<vCenter_FQDN>/federation/t/CUSTOMER/broker/identity-providers' --header 'Authorization: Bearer <Access Token>' | jq

Additional Information

In certain circumstances, the curl commands in the resolution steps may not provide any results/values for the stale identity provider configuration. In such cases, the stale entries can be removed from the vSphere SSO domain using JXplorer.

  1. To Connect to a vCenter with JXplorer, refer: How to Connect to a vCenter with JXplorer
  2. Once connected to the SSO domain, delete the stale entry manually under the following location: Services -> IdentityManager -> Tenants -> vsphere.local -> IdentityProviders
  3. Next restart the vCenter services using command "service-control --stop --all && service-control --start --all" and try to configure EntraID again.
Powered by Wolken Software