Unable to configure Okta identity provider in vCenter server due to error "Could not create indirect identity provider".
search cancel

Unable to configure Okta identity provider in vCenter server due to error "Could not create indirect identity provider".

book

Article ID: 385669

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Configuring External Identity Provider on vCenter Server fails with error "Could not create indirect identity provider".

  • vSphere Client will show below error message:

 

  • Error in trustmanagement-svcs.log in vCenter server.

    [####-##-#####:MM:SS] [tomcat-exec-16 [] INFO  com.vmware.vcenter.trustmanagement.authbroker.BrokerClient  opId=] API request CREATE_IDENTITY_PROVIDER to url http://localhost:1080/########-####/http1/vcenter.example.com/443/federation/t/customer/broker/########-######### returned unexpected response code 400 and the following error information: {"errors":[{"code":"oidc.config.api.validation.error","message":"Failed to retrieve OIDC endpoints from configuration url: https://example.com/oauth2/default/.####-#####/######-#############.","parameters":{"configUrl":"https://example.com/oauth2/default/.####-#####/######-#############"}}]}
  • The OpenID Address URL is inaccessible and does not return response with issuer, authorization_endpoint, token_endpoint etc. 

    # curl -k --location --request GET https://example.com/oauth2/default/.well-known/openid-configuration

{"errorCode":"E0000015","errorSummary":"You do not have permission to access the feature you are requesting","errorLink":"E0000015","errorId":"<ERROR_ID>}

Environment

VMware vCenter Server

Cause

This is caused due to Okta permission/licensing issue for Okta orgs that do not have the API Access Management license. The Custom Authorization Server cannot be used, such as the one named "Default". 

Resolution

Contact Okta support on these limitations and options that are available when using the Org Authorization Server 

Refer to Okta support article 401 Permissions Error during Log in to an OIDC App or when Configuring a Custom Authorization Server for more details.

Try configuring with the following metadata endpoint (removing 'default') as a workaround. 
'https://example.com/oauth2/.well-known/openid-configuration'

Note: The domain used here as an example is example.com. Change the domain accordingly.

Disclaimer: Broadcom is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. Inclusion of such links does not imply that Broadcom endorses, recommends, or accepts any responsibility for the content of such sites.

 

Powered by Wolken Software