• You receive an "Access Denied. Unable to authenticate the user" screen immediately after successfully completing Multi-Factor Authentication (MFA) when configuring Single Sign-On (SSO) with an external Identity Provider (IdP) such as PingID.
• This issue prevents you from logging into VCF components (e.g., VCF Operations, vCenter) via SSO.
• User and group provisioning via AD/LDAP may appear to be functioning correctly, with groups syncing, but the authentication fails at this final step.

VCF Operations 9.0.x

vCenter Server 8.0.x

VMware NSX 9.x

External Identity Provider: PingID

A mismatch or incorrect configuration of the Name ID claim mapping exists between the external Identity Provider (PingID) and the VCF embedded Identity Broker (VIDB). The VIDB expects a specific claim (e.g., sAMAccountName or userName) for the NameID that is either not configured correctly or is not passed in the ID Token from PingID. This configuration mismatch results in the VIDB being unable to identify the user, leading to the "Access Denied" error. You can confirm this issue by reviewing the logs, where the /var/log/vmware/vc-wsla-broker/federation-service.log shows the following error: com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticationException: ID Token did not return expected nameld claim sAMAccountName

Follow these steps to verify and correct the configuration causing the "Access Denied" error:

1. Check Name ID Claim Mapping : Verify and correct the Name ID claim mapping configuration on both the VCF SSO Identity Broker and the external Identity Provider sides, ensuring an exact match. The claim name configured in the VCF Identity Provider must exactly match the claim name that PingID returns in the ID Token. (Examples of claims to check include sAMAccountName and userName) .

2. Check Certificate Chain : Ensure the certificate installed in the VCF environment includes the complete trust chain (Root, Intermediate, and Server certificates).

    

For detailed, guidance on these configuration items, see Configure VCF SSO with modern identity provider for authentication and AD/LDAP for user-group provisioning.

Successful group provisioning via AD/LDAP (syncing) does not guarantee successful Name ID claim mapping for the SSO authentication token. The Identity Provider health status appearing "green" in VCF Operations does not rule out incorrect token content or claim mapping. You may also see InvalidTokenException and Suite Token is not present in the logs when troubleshooting this issue. 

Additional error found in the /var/log/vmware/vc-wsla-broker/accesscontrol-service.log:

[ValidationFailure] Header validation failed for host, value: <ENCODED_VALUE> 

For this error, use KB - "Could not create indirect identity provider" when trying to configure an Identity Provider for SSO Using PingFederate Type. to check for an incomplete or missing certificate chain for the Identity Provider endpoint.