Attempts to Login to VCF Operations Fail When Using an Alias or Load Balancer VIP via VMware Identity Broker SSO.
search cancel

Attempts to Login to VCF Operations Fail When Using an Alias or Load Balancer VIP via VMware Identity Broker SSO.

book

Article ID: 413976

calendar_today

Updated On:

Products

VCF Operations

Issue/Introduction

  • When attempting to log in to VCF Operations 9.x using an alias (e.g., CNAME) or a Load Balancer VIP (Virtual IP) instead of the primary node's FQDN, the login fails
    .
  • When accessing the VCF Operations UI through an alias, the following error is displayed:
    Please contact your VCF Admin with the below details for resolution.
Message
Invalid redirect URL https://<internal-url>/ui/vidbClient/vidb/ specified in authorize request
Error Code
oauth2.request.invalid.redirecturl

Environment

VCF Operations 9.x

Cause

The VMware Identity Broker (VIDB) only authorizes redirect URIs that are explicitly registered during the initial SSO configuration. If a user accesses the UI via an alias or VIP that was not part of the original registration, the redirect_url sent by the browser does not match the registered list, causing the OAuth2 security filter to reject the request with the oauth2.request.invalid.redirecturl error.

Resolution

To resolve this issue, you must update the System Access URL in VCF Operations to match the alias or VIP being used. This ensures that the application provides the correct redirect URI during the authentication flow.

  1. Log into the VCF Operations UI using a Local Administrator account via the primary node's FQDN.
  2. Navigate to Administration > Global Settings > System Settings.
  3. Locate the System Access URL field.
  4. Enter the full URL (including https://) that users will use to access the site (e.g., https://vops-alias.example.com).
  5. Click Save.
Powered by Wolken Software