Unable to able to log into VCF Operations for Networks using VCF SSO
Article ID: 419248
Updated On:
Products
VCF Operations for Networks
Issue/Introduction
- This is a New VCF Operations for Networks deployment.
- VCF SSO has been successfully Configured.
- VCF SSO Identity Broker is external using OneLogin Domain, authentication Method is SAML Identify source is SAML 2.0
- User is unable to able to log into VCF Operations for Networks using VCF SSO
- Error message seen when attempting to login with VCF SSO on Operations for Networks UI :
Unable to process login. Please contact support team. - Screenshot of error as below:
- From
restapilayerlogs on Operations for Networks located as/var/log/arkin/restapilayer/latest.logbelow log entry is seen2025-09-28T15:25:07.000849Z ERROR restapilayer 38495 [netw@4413 class="restapilayer.api.AuditApiFilter" thread="dw-12396 - GET /auth/sso/callback_code=#####kMjctM########g3MjQtMWIzNTQ5########VsZ3FuOTZ#########4SDd1SURzOA_state=#####joO85G######HKQk_dbX7hqaPqV#####_nonce=#####asBzBfknLE#####iSIMaZLl60s3Vb####" method="exchangeCodeForToken" line="116"] Failed to get username. java.lang.NullPointerException: null 2025-10-28T15:26:14.000809Z DEBUG restapilayer 24600 [netw@4413 class="sso.client.SsoClientImpl" thread="dw-310 - GET /auth/sso/callback_code=#####kMjctM########g3MjQtMWIzNTQ5########VsZ3FuOTZ#########4SDd1SURzOA_state=#####joO85G######HKQk_dbX7hqaPqV#####_nonce=#####asBzBfknLE#####iSIMaZLl60s3Vb####" method="exchangeCodeForToken" line="278"] User claims :{at_hash=#####-BvDh#####2Icg, sub=######-a835-48ee-8955-#########, email_verified=false, user_name=##_####, at_jti=#######-0a1a-####-9952-6016b#####, iss=https://###-#####-vidb.########.com/acs/t/CUSTOMER/, group_names=[VM-VCF-#########@#######.com, VM-VCF-#########@#######.com], oid=#######-a835-###-8955-##########, nonce=gSzKytuasBzBfknLEqkOGjciSIMaZLl60s3VbFQPbQ4, aud=#####-36cd-4e18-990f-#######, c_hash=L0awkiEfmOjmsdVnUSiNUQ, updated_at=1758205431518, azp=#######-36cd-4e18-990f-######, auth_time=1761662307, group_ids=[########-f4b3-4f85-####-e0d4a4749b0e, #######-e11c-####-9108-######], exp=1761666974, iat=1761665174, jti=####-8feb-####-ad6a-########, acct=#_####@#####.com} 2025-09-28T15:27:14.000809Z ERROR restapilayer 38495 [netw@4413 class="vnera.restapilayer.AuthResource" thread="dw-12154 - GET /auth/status" method="status" line="3994"] User not authenticated java.lang.IllegalArgumentException: null/empty fields in userData at com.google.common.base.Preconditions.checkArgument(Preconditions.java:135) _[guava-23.5-jre.jar:_] at com.vnera.storage.config.fdb.stores.FdbAuthStore.createUser(FdbAuthStore.java:75) _[storage-config-0.001-SNAPSHOT.jar:_]
Environment
VCF Operations for Networks 9.0.0
VCF Operations for Networks 9.0.1.0
Cause
Authenticating to Operations for Networks using VCF SSO, login fails when access is granted through a group.
The ID token does not include the name claim (name / display name)
Operations for Networks SSO expects the name claim in the ID token; with group-based assignment, the name (display name) claim isn’t present, causing login to fail.
Resolution
This is a known issue in VCF Operations for Networks 9.0.x release.
Workaround:
This issue only occurs when a user group is added to VCF Operations for Networks instead of an individual user.
For now the available workaround is to to add a user from user management page on VCF Operations for Network GUI under VCF SSO
Steps as below:
- On VCF Operations for Networks GUI, Click Setting>Identity and access management.
- Click VCF SSO Users tab and then Click on Add User/Group.
Refer to screenshots below from Operations for Networks GUI. - Search and select user from drop down and select the user in question.
- Assign Role to the user
- Click Submit.
Feedback
Yes
No
Powered by
