Symptoms

• When logging in with certain domain accounts from Aria Automation FQDN ("Go to login page"), the final redirection to vRA after successful authentication fails.
• Once the correct credentials are given, the vIDM LB address displays a simple text webpage which says: “502 Bad Gateway”, "NSX LB"
• Logging in directly to vIDM first and then accessing Automation from the IDM catalog may work just fine.
• NSX load balancer shows the following error for this request:
  
  • 2024/11/11 12:34:22 [error] 3812321#0: *3312321 upstream sent too big header while reading response header from upstream, client: <IP_adddress>, server: , request: "POST /SAAS/auth/saml/response HTTP/1.1", upstream: "https://<IP_adddress2>:443/SAAS/auth/saml/response", host: "vidm.example.com", referrer: "https://vidm.example.com/hc/3104/authenticate/"
• For similar but different issues on NSX, or another load balancer, please check the LB logs for error details.

• VMware Aria Automation 8.x
• Clustered 3-node VMware Identity Manager 3.3.7
• NSX-T used as load balancer for IDM

• The response header size of the SAML auth request may be too big, causing it to be rejected by the LB
• As such, the fix will need to take place on the load balancer for vIDM

Workaround

Try to log in with other accounts. In particular, accounts in the local IDM domain rather than AD / LDAP

Resolution

Where the issue is caused by the exact NSX log message given above, upstream sent too big header

• Increase the Response Header Size on the vIDM's Load Balancer profile in NSX.
• Most common values are powers-of-two, so you may double the current figure (e.g. increase from 4096 bytes to 8192)

Other issues indicated by LB:

• If the above does not resolve the issue, it s possible to test different values of the Request and Response Headers in the LB
• Please check the particular error faced by the LB for hints