"Could not create indirect identity provider" when trying to configure an Identity Provider for SSO Using PingFederate Type.
search cancel

"Could not create indirect identity provider" when trying to configure an Identity Provider for SSO Using PingFederate Type.

book

Article ID: 413279

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Error while configuring Identity Provider: 
    Could not create indirect identity provider
  • In the log location: /var/log/vmware/trustmanagement/trustmanagement-svcs.log we see below entries: 
    [tomcat-exec-27 [] INFO  com.vmware.vcenter.trustmanagement.authbroker.BrokerClient  opId=] API request CREATE_IDENTITY_PROVIDER to url http://localhost:1080/external-vecs/http1/vcentername/443/federation/t/customer/broker/identity-providers returned unexpected response code 400 and the following error information: {"errors":[{"code":"oidc.config.api.validation.error","message":"Failed to retrieve OIDC endpoints from configuration url: https://test.domain.com/default/.well-known/openid-configuration.","parameters":{"configUrl":"https://vcname/default/.well-known/openid-configuration"}}]}
  • In the log location: /var/log/vmware/federation-service/federation-service.log

    INFO  vcenter.barrow.cc:federation (ForkJoinPool-2-worker-61) [CUSTOMER;2########-2##e-4###-###-9########0356;127.0.0.1;b7#####d-2###-48##-9d##-db0b########;-;-] com.vmware.vidm.federation.cds.AbstractConfigProvider - Service vidm config item orgContentSecurityPolicyParams does not exist in CDS 
WARN  vcenter.barrow.cc:federation (vert.x-eventloop-thread-1) [-;-;-;-;-;-] com.vmware.vidm.common.validations.validator.impl.HttpHeaderValidatorImpl - [ValidationFailure] Header validation failed for host, value: ###########
INFO  vcenter.barrow.cc:federation (ForkJoinPool-2-worker-61) [OPERATOR;2########-2##e-4###-###-9########0356;127.0.0.1;b7#####d-2###-48##-9d##-db0b########;-;-] com.vmware.vidm.federation.cds.AbstractConfigProvider - Service vidm config item orgContentSecurityPolicyParams does not exist in CDS 
WARN  vcenter.barrow.cc:federation (vert.x-eventloop-thread-1) [-;-;-;-;-;-] com.vmware.vidm.common.validations.validator.impl.HttpHeaderValidatorImpl [ValidationFailure] Header validation failed for host, value:#########
WARN vcenter.barrow.cc:federation (vert.x-eventloop-thread-1) [-;-;-;-;-;-] com.vmware.vidm.common.validations.validator.impl.HttpHeaderValidatorImpl - [ValidationFailure] Header validation failed for host, value: ##########
INFO  vcenter.name:federation (federation-business-pool-0) [CUSTOMER;2########-2##e-4###-###-9########0356;127.0.0.1;b7#####d-2###-48##-9d##-db0b########;-;-] com.vmware.vidm.federation.broker.BrokerIdentityProvidersServiceImpl - Creating Broker identity provider for 'VIP Authentication Hub' 
INFO  vcenter.name:federation (federation-business-pool-0) [CUSTOMER;2########-2##e-4###-###-9########0356;127.0.0.1;b72######-####-####-####-#######83##d;-;-] com.vmware.vidm.common.http.client.ClientConfig - Using system proxy 
configuration : Optional.empty 
INFO  vcenter.name:federation (federation-business-pool-0) [CUSTOMER;########-2##e-4###-###-9########0356127.0.0.1;########-2##e-4###-###-9########0356-;-] com.vmware.vidm.common.http.client.vertx.CircuitBreakerHttpClient - Created client with circuit breaker options io.vertx.circuitbreaker.CircuitBreakerOptions@7#####6[maxFailures=1000,resetTimeout=30000,requestTimeout=-1] 
INFO  vcenter.name:federation (vert.x-eventloop-thread-3) [-;-;-;-;-;-] org.bouncycastle.jsse.provider.ProvTlsClient - [client #6 @######bb] opening connection to broadcom.com:443 
INFO  vcenter.name:federation (vert.x-eventloop-thread-3) [-;-;-;-;-;-] org.bouncycastle.jsse.provider.ProvTlsClient - [client #6 @51####bb] raised fatal(2) certificate_unknown(46) alert: Failed to process record org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)

Environment

VMware vCenter Server 8.x

Cause

The issue was due to the incomplete or missing certificate chain for the Identity Provider endpoint. vCenter requires the full certificate chain (including intermediate and root certificates) to establish a trusted connection with the IDP.

Resolution

  1. Validate the certificate chain of your PingFederate IDP. Ensure that the certificate being used by the IDP includes the entire trust chain (root + intermediate certificates).

  2. You can verify the certificate chain using browser tools or with OpenSSL:

    openssl s_client -connect your-idp-url:443 -showcerts

  3. Import the complete certificate chain into vCenter Server:

    • Go to Administration > Certificates > Certificate Management

    • Add the missing intermediate/root certificates under the Trusted Root Store. Please refer KB: 384966 

  4. Retry the Identity Provider configuration.

Powered by Wolken Software