vRO integrated with vCenter SSO will logoff immediately after providing the credentials.

Products

VMware vCenter Server VMware Aria Operations (formerly vRealize Operations) 8.x

Issue/Introduction

vRO integrated with vCenter SSO will logoff immediately after providing the credentials and display the page similar to below.

Environment

VRO integrated with vcenter SSO as the identity provider.

Cause

Clock difference between the vCenter and the vRO caused the authorization failure.
Debugging from the browser will indicate HTTP 401 error code (unauthorized).
The vCenter SSO logs can be verified that the authentication is successful. However, the vRO page will not load.
services-logs/prelude/vco-app/file-logs/vco-server-app.log will have the below entries.

2024-06-22T04:16:43.492Z INFO vco [host='vco-app-7d69bfd64b-lzbtk' thread='http-nio-8280-exec-1' user='-' org='-' trace='-'] {} com.vmware.identity.websso.client.Message - Incoming or outgoing SAML message.
Message Type:AUTHN_RESPONSE
Message source:https://vcenter.vsphere.local/websso/SAML2/Metadata/vSphere.local
Message destination:https://vRO.vsphere.local/vco/org/vSphere.local/saml/websso/sso
Message validation result (for incoming messages):urn:oasis:names:tc:SAML:2.0:status:Success

2024-06-22T04:16:43.535Z INFO vco [host='vco-app-7d69bfd64b-lzbtk' thread='http-nio-8280-exec-1' user='-' org='-' trace='-'] {} com.vmware.identity.token.impl.SamlTokenImpl - SAML token for SubjectNameId [[email protected], format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from Element
2024-06-22T04:16:43.537Z INFO vco [host='vco-app-7d69bfd64b-lzbtk' thread='http-nio-8280-exec-1' user='-' org='-' trace='-'] {} com.vmware.identity.token.impl.SamlTokenImpl - Token expiration date: Sat Jun 22 04:15:24 GMT 2024 is in the past.
2024-06-22T04:16:43.538Z ERROR vco [host='vco-app-7d69bfd64b-lzbtk' thread='http-nio-8280-exec-1' user='-' org='-' trace='-'] {} com.vmware.o11n.web.SamlLogonProcessor - An exception occurred while processing authentication success callback from SSO. Create logoutToken for '[email protected]'
2024-06-22T04:16:43.538Z ERROR vco [host='vco-app-7d69bfd64b-lzbtk' thread='http-nio-8280-exec-1' user='-' org='-' trace='-'] {} com.vmware.identity.websso.client.endpoint.SsoResponseListener - Authentication Exception:
com.vmware.vcac.authentication.http.SamlAuthenticationException: Token expiration date: Sat Jun 22 04:15:24 GMT 2024 is in the past.
at com.vmware.o11n.authentication.http.SamlTokenExtractor.extractSamlToken(SamlTokenExtractor.java:76) ~[o11n-cafe-sdk-sso-8.18.0.jar:?]
at com.vmware.o11n.web.SamlLogonProcessor.authenticationSuccess(SamlLogonProcessor.java:118) ~[o11n-security-sso-provider-8.18.0.jar:?]
at com.vmware.identity.websso.client.endpoint.SsoResponseListener.authenticationSuccess(SsoResponseListener.java:165) ~[websso-1.0.0.jar:?]
at com.vmware.identity.websso.client.endpoint.SsoResponseListener.consumeResponse(SsoResponseListener.java:127) [websso-1.0.0.jar:?]
at com.vmware.identity.websso.client.endpoint.SsoResponseListener.consumeResponse(SsoResponseListener.java:89) [websso-1.0.0.jar:?]

Resolution

Configure both of the appliances vCenter and vRO to the same NTP server to sync the time.
Steps:
1. Login in to the VAMI of the vcenter as root : https://vCenter_IP:5480
2. Select Time.
3. Navigate to Time Synchronization.
4. Click Edit.
5. Under Mode, select NTP.
6. Make note of the NTP severs
7. Login to the VRO as root and set the NTP server as per what you captured on VC VAMI as per step 6.
  - vracli ntp systemd --set 'ntp_address_1', 'ntp_address_2'

'ntp_address_1', 'ntp_address_2' are the NTP server names.

- - To confirm the status of the NTP server configuration, run the command : vracli ntp status
If this does not resolve the issue then you need to remove the authentication provider from VRO control center and register back again.