vCenter OIDC Federation with Microsoft Entra ID (Azure) fails with "Access Denied"
search cancel

vCenter OIDC Federation with Microsoft Entra ID (Azure) fails with "Access Denied"

book

Article ID: 380642

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

When integrating vCenter Server with Microsoft Entra ID (formerly Azure AD) via OIDC, users may encounter the following symptoms:

  • Users successfully authenticate at the Entra ID login page but are redirected to a "Access Denied" or "Permission Denied" page in vCenter or Workspace ONE.

  • The vCenter /var/log/vmware/vc-ws1a-broker/federation-service.log contains: 

2024-10-22T15:03:20,655 ERROR HOSTNAME:federation (vert.x-eventloop-thread-2) [-;-;-;-;-;-] com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticationService - Token endpoint failed io.vertx.core.impl.NoStackTraceThrowable: invalid_request: AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid. Trace ID: 55bdc8a2-bc79-XXXX-ad62-eef2e5bf1b00 Correlation ID: cb81b289-18ae-42c9-XXXX-040e712a8649 Timestamp: 2024-10-22 15:03:20Z

2024-10-22T15:03:20,655 WARN  HOSTNAME:federation (federation-business-pool-0) [CUSTOMER;-;XXX.XXX.XXX.XXX;ba05f73e-3395-XXXX-ae8b-dd83147e028f;-;9cd7d5a9-9f9c-XXXX-8eb3-f484f7235c88] com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticator - Exception occurred while retrieving oidc tokens com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticationException: Unable to get ID token and access token

  • vCenter is unable to resolve or find users/groups from the Entra ID domain when manually assigning permissions.

Environment

vCenter 8.x

Microsoft Entra ID (OIDC Identity Provider)

Cause

The Microsoft Entra ID application manifest has the acceptMappedClaims attribute set to false or null. By default, Entra ID restricts the transmission of custom-mapped claims in the security token for multi-tenant applications or specific security postures. Setting acceptMappedClaims to true explicitly authorizes the Identity Provider to send the group transformation claims that vCenter requires to map Entra ID security groups to vSphere Roles."

Resolution

To resolve this issue, a setting must be changed on the Azure Entra ID configurations.

  1. Log in to the Microsoft Entra admin center (formerly Azure Portal).
  2. Navigate to Identity > Applications > App registrations.
  3. Select the application created for the vCenter OIDC integration.
  4. In the left navigation pane, select Manifest.
  5. Locate the acceptMappedClaims property.
  6. Update the value to true:
    "acceptMappedClaims": true,
  7. Click Save.
  8. Log out and log back into vCenter to verify the fix.

Below is a screenshot from Microsoft Entra portal showing the value that needs to be changed.

Additional Information

Troubleshooting OIDC Unique Identifier mismatches

Troubleshooting Client Secret value errors during OIDC setup

Powered by Wolken Software