"Could not create indirect identity provider: Identity provider with ID <Provider ID> and name Azure AD already exists for tenant CUSTOMER
search cancel

"Could not create indirect identity provider: Identity provider with ID <Provider ID> and name Azure AD already exists for tenant CUSTOMER

book

Article ID: 370574

calendar_today

Updated On:

Products

VMware vCenter Server 8.0

Issue/Introduction

  • Configuring External Identity Provider on vCenter Server fails with error "already exists for tenant CUSTOMER".

  • vSphere Client will show below error message.



  • This issue is observed due to stale identity provider configuration on vCenter Server can generally happen while recreating the Identity Provider after switching back from External Identity Provider to Embedded SSO.

  • This KB can be followed to to clean-up stale Identity Provider Configuration such as "Okta", "Azure AD" on vCenter Server.

Resolution

To resolve this issue, delete the stale identity provider configurations by following below steps:

  1. Login to vCenter Server using SSH (eg. Putty)

  2. Login to RestAPI to get a VC Session ID

    curl -k --request POST --url https://vCenter_FQDN/rest/com/vmware/cis/session -u '[email protected]:<Admin Password>'

    Note; Update the username and password based on the environment.

  3. List the Authbroker IDPs and note down the UUID

    curl -k --location --request GET 'https://vCenter_FQDN/api/vcenter/identity/authbrokeridp' --header 'vmware-api-session-id: <SESSION ID>'

    Note: Replace <SESSION ID> with the id from Step 1

    sample response:

    {

      "summary_list": [

        {

          "idp": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",  --------------> IDP UUID

          "name": "Azure AD",

          "tenant_type": "CUSTOMER",

          "activation_state": "PRIMARY_ACTIVE",

          "primary_broker_discovery_endpoint": "https://<fqdn>:443/acs/t/customer/.well-known/openid-configuration"

        }

      ]

    }

  4. Delete the each Identity Provider object returned by Step 3:

    curl -k --request DELETE 'https://vCenter_FQDN/api/vcenter/identity/authbrokeridp/<IDP UUID>' --header 'vmware-api-session-id: <SESSION ID>'

    Note: Replace <IDP UUID> with the ID from Step 3 and <SESSION ID> with the session id from Step 1.

  5. List the Authbroker IDPs again to verify all the objects are cleaned-up

    curl -k --location --request GET 'https://vCenter_FQDN/api/vcenter/identity/authbrokeridp' --header 'vmware-api-session-id: <SESSION ID>'

    Note: Replace <SESSION ID> with the id from Step 1

  6. Doing above steps will clean-up everything including the VIDB objects. Perform below steps to clean-up the relevant objects in SSO, if exists

  7. List the VC Identity Providers

    curl -k --request GET 'https://vCenter_FQDN/rest/vcenter/identity/providers' --header 'vmware-api-session-id: <SESSION ID>'

  8. If the response is not empty, call DELETE on each of the provider objects returned using below command :

    curl -k --request DELETE 'https://vCenter_FQDN/rest/vcenter/identity/providers/<Provider ID>' --header 'vmware-api-session-id: <SESSION ID>'

    Note: Replace <Provider ID> with the Provider ID returned by Step 7

  9. Do a Identity Provider LIST again and verify all objects are deleted.

    curl -k --request GET 'https://vCenter_FQDN/rest/vcenter/identity/providers' --header 'vmware-api-session-id: <SESSION ID>'

  10. Now to clean-up the VIDB objects, get an access token by calling below API:

    curl -k --location --request GET 'https://vCenter_FQDN/api/vcenter/identity/broker/tenants/CUSTOMER/admin-client' --header 'vmware-api-session-id: <SESSION ID>'

  11. Perform VIDB Directories LIST

    curl -kv  --request GET 'https://vCenter_FQDN/usergroup/t/CUSTOMER/broker/directories' \

    --header 'Authorization: Bearer <ACCESS TOKEN>' | jq

    Note: Replace <ACCESS TOKEN> using the token from Step 10.

    Sample response:

    {

      "items": [

        {

          "_links": {},

          "id": "<Directory ID>",

          "name": "azure_dir",

          "domains": [

            "<domain name>"

          ],

          "source": "AZURE",

          "type": "PROVISIONED",

          "delete_in_progress": false

        }

      ],

      "_links": {}

    }



  12. Perform DELETE on each of the returned directories.

    curl -kv  --request DELETE 'https://vCenter_FQDN/usergroup/t/CUSTOMER/broker/directories/<Directory ID from Step 11>' \

    --header 'Authorization: Bearer <ACCESS TOKEN>'

  13. List the directories again and verify all objects are deleted

    curl -kv  --request GET 'https://vCenter_FQDN/usergroup/t/CUSTOMER/broker/directories' \

    --header 'Authorization: Bearer <ACCESS TOKEN>' | jq


    Note: Replace <ACCESS TOKEN> using the token from Step 10.


  14. Perform VIDB Identity Provider list

    curl -kv --location --request GET 'https://vCenter_FQDN/federation/t/CUSTOMER/broker/identity-providers' \

    --header 'Authorization: Bearer <Access Token>' | jq

    Sample response :

    {

      "items": [

        {

          "_links": {},

          "id": "<Identity Provider ID>",

          "idp_name": "Azure",

          "idp_type": "OIDC",

          "directory_ids": []

        }

      ],

      "_links": {}

    }

  15. Perform DELETE on each of the returned directories

    curl -kv --location --request DELETE 'https://vCenter_FQDN/federation/t/CUSTOMER/broker/identity-providers/<Identity Provider ID from Step 14>' \

    --header 'Authorization: Bearer <ACCESS TOKEN>'

  16. List the VIDB Identity Providers again and verify all objects are deleted

    curl -kv --location --request GET 'https://vCenter_FQDN/federation/t/CUSTOMER/broker/identity-providers' \

    --header 'Authorization: Bearer <Access Token>' | jq




Powered by Wolken Software