Error ""Your Single Sign-on attempt failed." when attempting to login using Microsoft Entra ID as OIDP in Cloud Director
search cancel

Error ""Your Single Sign-on attempt failed." when attempting to login using Microsoft Entra ID as OIDP in Cloud Director

book

Article ID: 382019

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

  •  Every logon attempt fails with "Your Single Sign-on attempt failed." message from Cloud Director Tenant Portal.
  • The following error is shown in the Cloud Director debug logs: "OAuthFilterCould not obtain user details from token ... org.springframework.security.authentication.BadCredentialsException: Audience does not match clientId"

Environment

VMware Cloud Director 10.5.1.1

Cause

This error appears to suggest that VCD could not get the User's details from the token that came back from the IDP (MS Entra).
The error given is that the Client IDs are not matching as expected.

Resolution

To help solving the issue you will need to verify the Client ID within the VCD Tenant > OIDC Settings which should match the Client ID on Microsoft Entra ID side.

After that you will need to make sure that the user is part of the correct Group and configured correctly from the Microsoft Entra ID side.

This can be done by:

1) On the side of Entra ID > App registration > Token configuration > add groups claim (based on “Object ID” or “sAMAccountName”

2) On the side of VCD Tenant > Identity Providers > OIDC > turn off the slider at Configuration Disccovery

3) Take care that the “Prefer ID Token” is turned on as per following article: OIDC Group logins failing when using Microsoft Entra ID as the identity provider

4) Map the additional claim “Groups name” with the name from Entra ID

5) When not using the “Configuration Discovery” you can enter the claim names manually (not forced a dropdown list)

6) After that the users within Entra ID groups, will be able to login in Cloud Director.

Additional Information