Cleanup SSO configuration if VCF Identity Broker is down
search cancel

Cleanup SSO configuration if VCF Identity Broker is down

book

Article ID: 393161

calendar_today

Updated On:

Products

VCF Operations VMware vCenter Server

Issue/Introduction

  • Unable to reconfigure Single Sign-On (SSO) after an SSO reset or identity broker failure.
  • Red banners displaying an "unknown error" appear in the VCF Operations user interface during configuration attempts.
  • The /usr/lib/vmware-vcops/user/logvcfops-bridge.log contains API session failures (401 Unauthenticated) when registering components.
  • Stale SSO artifacts remain in the environment even after clearing the vCenter advanced setting config.OPERATIONS.vcf.sso.ops.cluster.id.

Environment

  • VCF Operations 9.x
  • vCenter 9.x

Cause

Stale Single Sign-On configuration artifacts remain in the Identity Broker database, preventing the environment from accepting a new SSO configuration workflow.

Resolution

  1. Generate the token using the VCF Operations admin username and password

    Acquire a token from the VCF Operations API using the command below (replacing {{vcfops-ip}} and  vcfops-password)

    curl -k GET --location 'https://{{vcfops-ip}}/suite-api/api/auth/token/acquire' \
    --header 'Accept: application/json' \
    --header 'Content-Type: application/json' \
    --data '{    "username":"admin",    "password":"vcfops-password"}'

    In the API response, token will be presented. Use this token in the next step.


    Example for Postman usage (Returned token is masked):




  2. Cleanup the SSO config with the below API 

    In order to get the vidbResourceId you can use the following curl command (replacing {{vcfops-ip}} and {{token}} ):

    curl -k GET --location 'https://{{vcfops-ip}}/suite-api/internal/vidb/identityproviders' \
    --header 'Accept: application/json' \
    --header 'Content-Type: application/json' \
    --header 'Authorization: vRealizeOpsToken {{token}}' \
    --header 'X-vRealizeOps-API-use-unsupported: true'

    Update the token from the previous step (replacing {{vcfops-ip}} and {{token}} in command below)

    Add the vidbResourceId (marked by #'s in the command below)

    curl --insecure --location --request DELETE 'https://{{vcfops-ip}}/suite-api/internal/vidb/identityproviders?vidbResourceId=########-####-####-####-############&purgeSSOConfig=true' \
    --header 'Accept: application/json' \
    --header 'Content-Type: application/json' \
    --header 'Authorization: vRealizeOpsToken {{token}}' \
    --header 'X-vRealizeOps-API-use-unsupported: true'


    Example for Postman usage (vidbResourceId is masked):


  3. NOTE: This following step is only applicable for Embedded VCF Identity broker setup and if you are running VCF Operations 9.0. For External VCF Identity broker appliance or if you are running VCF Operations 9.0.1 or higher , this step is not required!

    • Download the attached shell script
    • Move the script to VCF Operations
    • SSH to VCF Operations as root user
    • Update the permission to make the script executable with the following command:

      chmod +x cleanup_auth_sources.sh

    • Execute the script with the following command: 

      ./cleanup_auth_sources.sh

Additional Information

Attachments

cleanup_auth_sources.sh get_app
Powered by Wolken Software