After configuring Azure AD (Entra) and attempting to login, ACCESS DENIED
is presented.
The following errors are present when trying to login with Azure (Entra ID) IDP.
vCenter - /var/log/vmware/vc-ws1a-broker/federation-service.log
2024-10-22T15:03:20,655 ERROR HOSTNAME:federation (vert.x-eventloop-thread-2) [-;-;-;-;-;-] com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticationService - Token endpoint failed io.vertx.core.impl.NoStackTraceThrowable: invalid_request: AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid. Trace ID: 55bdc8a2-bc79-476c-ad62-eef2e5bf1b00 Correlation ID: cb81b289-18ae-42c9-b7f8-040e712a8649 Timestamp: 2024-10-22 15:03:20Z
2024-10-22T15:03:20,655 WARN HOSTNAME:federation (federation-business-pool-0) [CUSTOMER;-;XXX.XXX.XXX.XXX;ba05f73e-3395-4e66-ae8b-dd83147e028f;-;9cd7d5a9-9f9c-4b4b-8eb3-f484f7235c88] com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticator - Exception occurred while retrieving oidc tokens com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticationException: Unable to get ID token and access token
vCenter 8.x
The reason for this is the AcceptMappedClaims
value set to null on the Azure side.
To resolve this issue, a setting must be changed on the Azure Entra ID configurations.
Set the AcceptMappedClaims value to true.
Below is a screenshot from Azure of the value that needs to be changed.