Unable to configure NSX for VCF SSO after deletion of previous SSO
search cancel

Unable to configure NSX for VCF SSO after deletion of previous SSO

book

Article ID: 413588

calendar_today

Updated On:

Products

VMware Cloud Foundation VMware NSX

Issue/Introduction

  • VCF SSO was originally configured using management domain.
  • The VCF SSO appliance was removed or rebuilt new but NSX was never removed from VCF SSO
  • Attempting to configure NSX for VCF SSO fails and within NSX for Identity provider, the old VCF SSO is shown and has a failed status.

Environment

  • VMware Cloud Foundation 9.x
  • VMware NSX 9.x

Cause

The original VCF SSO was removed without removing NSX from the provider.

Resolution

Manually remove the Identity provider configuration utilizing API calls

NOTE: This is using destructive API calls that will remove the identity provider from NSX.  It is highly recommended to verify with support before running these commands.

  1. Verify a valid backup exists for NSX appliance. See Configure Backups
  2. Login via SSH to an appliance, such as a vCenter server.
  3. Run the CURL command to list the identity providers in NSX: (change PASSWORD to the admin user password)
    curl -k -X GET -u 'admin:PASSWORD' https://NSX_FQDN/api/v1/trust-management/oidc-uris
  4. The output will show similar to following: (some lines have been removed that are not important)
    {
      "results" : [ {
        "name" : "VCF_SSO",
        "oidc_uri" : "https://<VIDB>:443/acs/t/TOKEN/.well-known/openid-configuration",
        "managed_by_vcf" : true,
        "resource_type" : "OidcEndPoint",
        "id" : "<ID String>",  << ID String needed in Step 5
        "display_name" : "VCF SSO",
      }, {
        "oidc_uri" : "https://<VCENTER>/openidconnect/vsphere.local/.well-known/openid-configuration",
        "token_endpoint" : "https://<VCENTER>/openidconnect/token/vsphere.local",
        "id" : "<ID String>",   <<< ID String needed in Step 5
      } ]
  5. Run DELETE API call to remove the Identity Provider from NSX, do this for BOTH IDs, one at a time.  
    curl -k -X DELETE -u 'admin:<PASSWORD>' https://<NSX_MANAGER>/api/v1/trust-management/oidc-uris/<ID From Step 4>
  6. Verify Identity provider is removed within NSX.
  7. Configure the Identity Provider within VCF Operations > Fleet Management > VCF Instances > Domain Name > Component Configuration Select the NSX component > Choose Configure Component.
  8. Verify status shows "Configured"
Powered by Wolken Software