Login fails to vIDM with error "Access Denied" while using Third Party IdP
search cancel

Login fails to vIDM with error "Access Denied" while using Third Party IdP

book

Article ID: 405557

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

Enabling Third Party IdP such as PingFederate in vIDM leads to user login failures with error "Access Denied" as below:

Two factor authentication goes through as expected. However, once the request is requested for authorization to vIDM, it fails with the above message.

Environment

VMware Identity Manager 3.3.7

Cause

This issue happens due to the incorrect attribute contract fulfilment mapping on the Third Party IdP. 

For example, if SAML response returns samAccountName however, the user sync in vIDM happens via UPN, this creates a mismatch and causes the authorization to fail on vIDM while authentication succeeds on the IdP.

Resolution

Edit the Attribute contract fulfilment mapping on the Third Party IdP server to match the attribute being utilized for user synchronization on vIDM.

Attribute used for User synchronization can be located by:

  1. Login to "Administrator Console" for vIDM
  2. Go to "Identity and Access Management"
  3. Click on "Directories"
  4. Click on the Active Directory for which you're enabling Third Party IdP
  5. Check the attribute selected for "Directory Search Attribute"

Please refer to the SAML provider documentation for the steps/procedure to change Attribute contract fulfilment.

Powered by Wolken Software