• The vCenter Server in this scenario is dedicated solely to providing Identity Provider (IdP) functionality for TCA user authentication. It is not involved in any additional operations such as cluster lifecycle management or workload orchestration and is exclusively leveraged for SSO integration with TCA.
• Login to TCA with SSO user configured in vCenter fails with error
  

  [{"username":"xxxxx","tenantId":"default","enterprise":"DEFAULT","organization":"DEFAULT","userRoles":[],"endpointId":"xxxxxx"}],"tenantIds":["default"],"severity":"CRITICAL","userIdentity":{"username":"xxxxxx "},"eventId":"xxxx","eventTime":1746520804343,"message":"Access Denied","eventName":"Login Failed","service":{"name":"Login Failed"},"restEndpoint":{"uri":"\/tca\/global\/api\/v1\/sessions","method":"POST","sourceIPAddress":"x.x.x.x"},"requestParameters":{"query":[]},"responseElements":{"isAuthenticated":"false"}}
  2001-01-01T08:40:04.346781202Z stdout F 2001-01-01 08:40:04.346 UTC [http-nio-xxxx-exec-9, , , TxId: ] ERROR c.v.v.h.a.HybridityAccessDeniedHandlerImpl- Sending Response Error 403 for /tca/global/api/v1/sessions

TCA 3.2

vSphere 8

Incorrect Common Name (CN) inside the vCenter certificate.

Manually regenerate the vCenter Certificate with correct CN and re-import it into TCA as per instructions in below documents

Regenerate vSphere 6.x, 7.x, and 8.0 certificates using self-signed VMCA

Re-import the vCenter certificate for TCA-M/TCA-CP 3.2

For further information on vCenter 8 auto STS Certificate renewal functionality please refer to below url link

vCenter 8 STS Auto Certificate Renewal Feature