vCenter workload domain SSO configuration fails in VMware Cloud Foundation.
search cancel

vCenter workload domain SSO configuration fails in VMware Cloud Foundation.

book

Article ID: 413451

calendar_today

Updated On:

Products

VCF Operations

Issue/Introduction

  • In VMware Cloud Foundation (VCF), configuring the vCenter Server component for a new workload domain (VCF Operations > Fleet Management > Identity & Access > VCF Instances > domain > Component Configuration) fails to finalize VCF Single Sign-On (SSO). This occurs after you detach a workload domain from a previous VCF Operations instance, leaving the vCenter Server intact but retaining its old SSO metadata.

  • Although the workload domain imports successfully into the new management domain, the VCF SSO configuration task fails.
    Error in UI: Error occurred while configuring the component for SSO. Check Support Logs under Control Panel for more details.

  • This issue also occurs when you decommission/teardown a Management Domain before removing the SSO federation from the workload vCenter Server. The vSphere Client UI enforces a configuration lock on the SSO settings, displaying the below message in vCenter -->Administration-->Single Sign On --> Configuration --> Identity provider:
    To manage identity provider configuration, log in to the VCF Operations Console.

Environment

  • VMware Cloud Foundation (VCF) 9.0.x
  • VMware vCenter Server 9.x

Cause

The previous identity provider remains registered in the vCenter Server database. Because the original identity provider is still tied to this vCenter Server, it fails to reconfigure with the new SSO identity provider and triggers the UI lock.

Resolution

Remove the stale identity provider metadata from the vCenter database using the API Explorer.

  1. Take a snapshot of the workload domain vCenter server prior to making changes.

  2. Access Workload Domain vCenter Web Client via FQDN: https://vcenterFQDN/ui

  3. Navigate to Menu > Developer Center > API Explorer.

  4. Select the Workload Domain vCenter as endpoint and select the vcenter API.

  5. Locate the API Category identity/providers.

  6. Expand GET /api/vcenter/identity/providers and click Execute.

  7. In resulting output (scroll down if needed), find the provider ID such as: 

    "provider": "CUSTOMER",

  8. Expand DELETE /api/vcenter/identity/providers/{provider}

  9. In the provider (required) field, enter the value found in step 7 for "provider"(example: CUSTOMER)

  10. Click Execute and the provider will be removed.

  11. For verifying, return to VCF Operations and retry the Identity provider configuration for the vCenter component.

Additional Information

Cleanup SSO configuration if VCF Identity Broker is down

Powered by Wolken Software