Azure AD identity Source fails with AcceptMappedClaims equal null
search cancel

Azure AD identity Source fails with AcceptMappedClaims equal null

book

Article ID: 380642

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

After configuring Azure AD (Entra) and attempting to login, ACCESS DENIED is presented.

The following errors are present when trying to login with Azure (Entra ID) IDP.

vCenter - /var/log/vmware/vc-ws1a-broker/federation-service.log

2024-10-22T15:03:20,655 ERROR HOSTNAME:federation (vert.x-eventloop-thread-2) [-;-;-;-;-;-] com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticationService - Token endpoint failed io.vertx.core.impl.NoStackTraceThrowable: invalid_request: AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid. Trace ID: 55bdc8a2-bc79-476c-ad62-eef2e5bf1b00 Correlation ID: cb81b289-18ae-42c9-b7f8-040e712a8649 Timestamp: 2024-10-22 15:03:20Z

2024-10-22T15:03:20,655 WARN  HOSTNAME:federation (federation-business-pool-0) [CUSTOMER;-;XXX.XXX.XXX.XXX;ba05f73e-3395-4e66-ae8b-dd83147e028f;-;9cd7d5a9-9f9c-4b4b-8eb3-f484f7235c88] com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticator - Exception occurred while retrieving oidc tokens com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticationException: Unable to get ID token and access token

Environment

vCenter 8.x

Cause

The reason for this is the AcceptMappedClaims value set to null on the Azure side.

Resolution

To resolve this issue, a setting must be changed on the Azure Entra ID configurations.

Set the AcceptMappedClaims value to true. 

Below is a screenshot from Azure of the value that needs to be changed.