• SSO login to Management and Workload vCenters is not working.
• Users are unable to authenticate in VMware Cloud Foundation (VCF) Operations.
• When attempting to log in via SSO, the UI displays the following error:
  • Error: VCF Identity Broker encountered an issue during authentication. Please contact your VCF Admin with the below resolution.
  • Message: Invalid access policy 
• The log file file-log-.log on the vIDB appliance contains a message similar to: com.vmware.vidm.accesscontrol.OAuth2ClientService - [getValidatedClient] Unable to verify client secret. Log Location: /var/log/services-logs/vidb-external/vidb-service/file-logs/file-log-##########.log

VCF Operations 9.0.x

SDDC Manager 9.x

vCenter Server 9.x

1. Pre-requisite Snapshots: Before proceeding, ensure you have taken snapshots of the vCenter Server and VCF Operations Fleet Manager appliances to allow for a rollback if necessary.
   • vCenter Server (Standalone): Take a snapshot (without memory).
   • vCenter Server (Enhanced Linked Mode): Power down all vCenter VMs in the SSO domain, take snapshots from their respective ESXi hosts, and power them back on.
   • Fleet Management: Refer to How to create a snapshot for VCF Operations Fleet Manager appliance .
2. Rotate OAuth2 Client Secret: Use Method 2 (Manually rotate the VC's OAuth2 client secret) as described in Unable to authenticate. Check your credentials - Login failure on 9.0 VCs due to invalid OAuth2 client .
3. Cleanup SSO Configuration: If the issue persists or the VCF Identity Broker is down, follow the steps in Cleanup SSO configuration if VCF Identity Broker is down