SAML redirection fails with ssoFailure when attempting to login to VMware Cloud Director
search cancel

SAML redirection fails with ssoFailure when attempting to login to VMware Cloud Director

book

Article ID: 386623

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

  • SAML redirect fails with 'ssoFailure', then prompts for Org Name again
  • Browser Dev Tools API logs (How to collect a HAR log file for troubleshooting Cloud Director issues)  returns '302 Found' as the status code and eventually fails with SSO failure in response






  • In /opt/vmware/vcloud-director/logs/vcloud-container-debug.log on the Cloud Director cell, you see entries similar to:

    DEBUG    | pool-jetty-81481          | SAMLAuthenticationProvider     | Error validating SAML message | requestId=xxxxxx-xxxx-xxxx-xxxx-xxxxxxx,request=POST https://VCD_URL/login/org/Tenant_name/saml/SSO/alias/vcd,requestTime=TimeStamp,remoteAddress=IP_address:port,userAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ...,accept=text/html application/xhtml+xml application/xml;q 0.9 image/avif image/webp image/apng */*;q 0.8 application/signed-exchange;...
    org.opensaml.common.SAMLException: Response issue time is either too old or with date in the future, skew 60, time 2025-01-21T06:19:55.000Z
            at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:126)
            at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:88)
            at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182)
            at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:92)
            at com.vmware.vcloud.ui.h5auth.filters.CustomSamlProcessingFilter.attemptAuthentication(CustomSamlProcessingFilter.java:30)
            at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:231)
            at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221)
            at com.vmware.vcloud.ui.h5auth.filters.NestedFilterChain.doFilter(NestedFilterChain.java:46)
            at com.vmware.vcloud.ui.h5auth.filters.UnfirewalledFilterChainProxy.doFilter(UnfirewalledFilterChainProxy.java:62)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
            at com.vmware.vcloud.ui.h5auth.filters.OAuthRedirectInterceptorFilter.doFilterInternal(OAuthRedirectInterceptorFilter.java:51)

Environment

VMware Cloud Director

Cause

The issue is caused by time differences between the clocks on your VMware Cloud Director (VCD) cells

Resolution

To resolve this issue, ensure time synchronization is accurately configured and consistently maintained across all VCD cells. 
Change the NTP Server of Your VMware Cloud Director Appliance

Powered by Wolken Software