• If the vIDM nodes themselves are down or not working correctly, then this is the cause.
• Otherwise, the configuration on the NSX load balancer is not sufficient to let the login confirmation get through
  • Usually this is because of the maximum request/response header size being too small

Workaround:

• When logging in to vIDM itself, it may be possible to launch the Automation link from the catalog. Only the redirection back to Automation doesn't work.

Resolution:

1. Log in to the NSX manager and look at the load balancer for vIDM / WSA
2. If the server pool is shown as Down, then the vIDM nodes will need to be fixed first
   • Please see KB 367175: Troubleshooting VMware Identity Manager postgres cluster deployed through Aria Suite Lifecycle (vRSLCM)
3. If no issue is shown with the pool nodes, then the LB configuration must be validated as follows:

• • Header sizes for response and request can be increased to ensure packets can get through
    • Power-of-two sizes are typically used: 1024, 2048, 4096, 8192, 16284 bytes
    • Response Header Size as high as 8192 bytes has been seen to be needed in some environments
    • The size of header needed is specific to the environment, as it depends on the SAML response which comes from the domain / IDM
  • You must enable X-Forwarded-For headers on your load balancer.
    • VMware Identity Manager identifies the source IP address in the X-Forwarded-For headers and determines which authentication method to use based on the source IP address.
  • The Load Balancing Guide for Aria Automation can serve as a useful reference for other LB settings
  • The same certificate needs to be set in the NSX Client+Server SSL sections, as is on the vIDM nodes themselves