SDDC Manager UI Login Failure with Blank Screen

Products

VMware Cloud Foundation

Issue/Introduction

Users are unable to log in to the SDDC Manager UI, and the UI displays a blank screen after authentication.
In the SDDC Manager log file /var/log/vmware/vcf/sddc-manager-ui-app/sddcManagerServer.log, the following error is observed::

YYYY-MM-DDTHH:MM:SS ERROR [4736320faafb4eee] [services/errorHandling.js, ####-####-########, productionErrorRoute:131]
600.158: VError: Sending error response: SAML assertion not yet valid
at Object.errorHandlerSend (/opt/vmware/vcf/####-#######-##-###/server/src/errors/VCFError.js:104:5)
at productionErrorRoute (/opt/vmware/vcf/####-#######-##-###/server/src/services/errorHandling.js:118:34)
at Layer.handle_error (/opt/vmware/vcf/####-#######-##-###/server/node_modules/express/lib/router/layer.js:71:5)
at trim_prefix (/opt/vmware/vcf/####-#######-##-###/server/node_modules/express/lib/router/index.js:326:13)
at /opt/vmware/vcf/####-#######-##-###/server/node_modules/express/lib/router/index.js:286:9
at Function.process_params (/opt/vmware/vcf/####-#######-##-###/server/node_modules/express/lib/router/index.js:346:12)
at next (/opt/vmware/vcf/####-#######-##-###/server/node_modules/express/lib/router/index.js:280:10)
at Layer.handle_error (/opt/vmware/vcf/####-#######-##-###/server/node_modules/express/lib/router/layer.js:67:12)
at trim_prefix (/opt/vmware/vcf/####-#######-##-###/server/node_modules/express/lib/router/index.js:326:13)
at /opt/vmware/vcf/####-#######-##-###/server/node_modules/express/lib/router/index.js:286:9
Error Info: {"id":"########-####-####-####-############","requestedPath":"/ui/api/internal/login/callback","error":{"id":"########-####-####-####-############"},"stack":"Error: SAML assertion not yet valid\n at SAML.checkTimestampsValidityError (/opt/vmware/vcf/####-#######-##-###/server/node_modules/########-####/lib/####-####/saml.js:932:24)\n at SAML.processValidlySignedAssertionAsync (/opt/vmware/vcf/####-#######-##-###/server/node_modules/########-####/lib/####-####/saml.js:870:33)\n at processTicksAndRejections (node:internal/process/task_queues:105:5)\n at runNextTicks (node:internal/process/task_queues:69:3)\n at process.processImmediate (node:internal/timers:453:9)\n at process.callbackTrampoline (node:internal/async_hooks:130:17)\n at async SAML.validatePostResponseAsync (/opt/vmware/vcf/####-#######-##-###/server/node_modules/########-####/lib/####-####/saml.js:587:24)","message":"SAML assertion not yet valid","status":500,"errorModule":600,"errorCode":158}
caused by:
Error: SAML assertion not yet valid
at SAML.checkTimestampsValidityError (/opt/vmware/vcf/####-#######-##-###/server/node_modules/########-####/lib/####-####/saml.js:932:24)
at SAML.processValidlySignedAssertionAsync (/opt/vmware/vcf/####-#######-##-###/server/node_modules/########-####/lib/####-####/saml.js:870:33)
at processTicksAndRejections (node:internal/process/task_queues:105:5)
at runNextTicks (node:internal/process/task_queues:69:3)
at process.processImmediate (node:internal/timers:453:9)
at process.callbackTrampoline (node:internal/async_hooks:130:17)
at async SAML.validatePostResponseAsync (/opt/vmware/vcf/####-#######-##-###/server/node_modules/########-####/lib/####-####/saml.js:587:24)
All Errors Info:
SAML assertion not yet valid {"error":{"id":"########-####-####-####-############"},"id":"########-####-####-####-############","requestedPath":"/ui/api/internal/login/callback","stack":"Error: SAML assertion not yet valid\n at SAML.checkTimestampsValidityError (/opt/vmware/vcf/####-#######-##-###/server/node_modules/########-####/lib/####-####/saml.js:932:24)\n at SAML.processValidlySignedAssertionAsync (/opt/vmware/vcf/####-#######-##-###/server/node_modules/########-####/lib/####-####/saml.js:870:33)\n at processTicksAndRejections (node:internal/process/task_queues:105:5)\n at runNextTicks (node:internal/process/task_queues:69:3)\n at process.processImmediate (node:internal/timers:453:9)\n at process.callbackTrampoline (node:internal/async_hooks:130:17)\n at async SAML.validatePostResponseAsync (/opt/vmware/vcf/####-#######-##-###/server/node_modules/########-####/lib/####-####/saml.js:587:24)","status":500}
Further investigation shows a time synchronization mismatch between vCenter Server and SDDC Manager.

vCenter NTP

SDDC Manager NTP

Environment

VMware Cloud Foundation 9.0

Cause

This issue is caused by a time skew (time synchronization mismatch) between the SDDC Manager and the Identity Provider (vCenter SSO).

When vCenter Server issues a SAML token (assertion), it includes a NotBefore timestamp. If the system clock on the SDDC Manager is behind the vCenter Server clock, the assertion is considered not yet valid, and the authentication request is rejected.

Even a time difference of only a few seconds can trigger this security validation failure.

Resolution

Step 1: Verify Time Sync Discrepancy

Log in via SSH to the SDDC Manager as root.
Log in via SSH to the Management vCenter Server (vCSA) as root.
Run the date command on both appliances simultaneously:
```
date -u
```
Compare the output:
- If the SDDC Manager time is earlier than the vCenter Server time, SAML validation may fail.

Step 2: Synchronize NTP Services

Ensure both the SDDC Manager and vCenter Server are configured to use the same NTP server(s).
On the SDDC Manager, if a noticeable time drift exists, force a time synchronization:
```
systemctl stop ntpd
ntpdate -u <NTP_Server_IP>
systemctl start ntpd 
```
Verify NTP synchronization status:
```
ntpq -pn
```

Note:
If both systems are already configured to use the same NTP source, it is recommended to restart the ntpd service first.
If synchronization still fails, consider temporarily changing the NTP server address on the affected appliance to complete the sync.

Step 3: Clear Browser Cache and Retry

Clear browser cookies and cache.
Open a new Incognito / Private browser window.
Attempt to log in to the SDDC Manager UI again.