EntraID Configuration in the vCenter fails with Error: Could not create indirect identity provider
search cancel

EntraID Configuration in the vCenter fails with Error: Could not create indirect identity provider

book

Article ID: 389846

calendar_today

Updated On:

Products

VMware vCenter Server VMware vCenter Server 8.0

Issue/Introduction

  • While configuring EntraID in the vCenter, it will fail with
    Error: Could not create indirect identity provider
  • Below error screenshot is seen under the Configure Main Identity Provider Tab.

         

 

  • From the /var/log/vmware/trustmanagement/trustmanagement-svcs.log, below snippets are found.

    Caused by: com.vmware.vcenter.trustmanagement.authbroker.BrokerClient$HttpStatusException: API request CREATE_IDENTITY_PROVIDER failed with response code 400 (Bad Request)
            at com.vmware.vcenter.trustmanagement.authbroker.BrokerClient.doRequest(BrokerClient.java:978) ~[libservice.jar:?]
            at com.vmware.vcenter.trustmanagement.authbroker.BrokerClient.createIdentityProvider(BrokerClient.java:803) ~[libservice.jar:?]
            ... 48 more
    YYYY-MM-DDTHH:MM:SS [tomcat-exec-21 [] ERROR com.vmware.vcenter.trustmanagement.migration.IdpReplacer  opId=] Replace operation failed. Attempting rollback. Triggering exception is: Could not create indirect identity provider: Failed to create identity provider with IDP name Microsoft Entra ID (domain.com) for tenant customer on host vcenter.example.com
    YYYY-MM-DDTHH:MM:SS [tomcat-exec-21 [] ERROR com.vmware.vcenter.trustmanagement.migration.IdentityMigration  opId=] Error changing identity provider configuration: Could not create indirect identity provider: Failed to create identity provider with IDP name Microsoft Entra ID (domain.com) for tenant customer on host vcenter.example.com
    com.vmware.vcenter.trustmanagement.impl.InternalException: Could not create indirect identity provider

    YYYY-MM-DDTHH:MM:SS [tomcat-exec-21 [] INFO com. vmware. vcenter. trustmanagement. impl. AuthBrokerIdp opId=] Created directory with ID xxxxxx-xxxxxx-xxxxxx-xxxxxx
    YYYY-MM-DDTHH:MM:SS [tomcat-exec-21 [] INFO com. vmware. vcenter. trustmanagement.authbroker.BrokerClient opId=] API request CREATE_IDENTITY PROVIDER to url http://localhost:1080/external-vecs/http/vcenter.example.com/443/federation/t/customer/broker/identity-providers returned unexpected response code 400 and the following error information: {"errors":[{"code":"broker. idp.name. invalid", "message":"Identity Provider's name is invalid. The allowed symbols are letters, digits (0-9), space and -","parameters": {"value": "Microsoft Entra ID (domain.com)"}}]}
    YYYY-MM-DDTHH:MM:SS [tomcat-exec-21 [] ERROR com. vmware. vcenter. trustmanagement.authbroker.Brokerclient opId=] Failed to create identity provider with IDP name Microsoft Entra ID (domain.com) for tenant customer on host vcenter.example.com
    YYYY-MM-DDTHH:MM:SS [tomcat-exec-21 [] name Microsoft Entra ID (domain.com) for ERROR com.vmware.vcenter.trustmanagement.impl.AuthBrokerIdpopId=] Rolling back 1 operations after error tenant customer on host vcenter.example.com

Cause

Identity Provider’s name has invalid characters such as Brackets.
Example: Microsoft Entra ID (domain.com)

Resolution

  1. Take Snapshot of the vCenter server (Offline Snapshots of all the vCenters if in Linked Mode).
  2. Change the Identity Provider Name only with the allowed symbols. Which are letters, digits (0-9), space and -","parameters"

    Example:

Additional Information

For more information, please refer How to Enable Entra ID for vCenter Server

Powered by Wolken Software