Failure to load NSX GUI pages dependent on SSP when assigning roles to group via SSO.
search cancel

Failure to load NSX GUI pages dependent on SSP when assigning roles to group via SSO.

book

Article ID: 429480

calendar_today

Updated On:

Products

VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

Propagation of roles from NSX to SSP fails, when using VCF SSO based login on NSX Manager, with role assigned to the group user belongs to.

When attempting to access SSP  the NSX Manager UI (Security → Security Services Platform) using a VCF SSO domain user with Enterprise Admin role, the following error is observed:

Failed to load the ingress URL. Please try again.

IPS/IDS Page in NSX shows access denied for SSO user w/ enterprise_admin role, after onboarding NSX on the SSP. 

Environment

Issue impacts environments with NSX Manager 9.0.x and any version of SSP onboarded with NSX.

Cause

NSX reverse proxy hits an exception when processing a request forwarded to SSP (APIs with /napp  prefix) - when the user role assignment is done via VCF SSO, with LDAP integration. If the role is assigned to the group that user belongs to OR role is not assigned within VIDB, but instead added in NSX via User Management - following exception is observed in NSX manager logs when accessing UI pages that fetch information directly from SSP.

2026-02-04T05:09:09.652Z WARNING NSX 16314 [nsx@4413 comp="nsx-manager" level="WARNING" logger="AuthorizationUtils" subcomp="http" threadName="Processing request 0f16cfc7-a81b-4eca-b3ec-5b8bb7fd0775"] Exception while processing user roles.
java.lang.NullPointerException: Cannot invoke "com.fasterxml.jackson.databind.JsonNode.forEach(java.util.function.Consumer)" because the return value of "com.fasterxml.jackson.databind.JsonNode.get(String)" is null
        at com.vmware.nsx.management.rp.security.AuthorizationUtils.lambda$addRoleHeaders$1(AuthorizationUtils.java:186)
        at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:247)
        at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:188)
        at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:162)
        at com.vmware.nsx.management.rp.security.AuthorizationUtils.addRoleHeaders(AuthorizationUtils.java:180)
        at com.vmware.nsx.management.rp.BaseRequestHandler.processRequest(BaseRequestHandler.java:377)
        at com.vmware.nsx.management.rp.BaseProxyDelegate.processRequest(BaseProxyDelegate.java:235)
        at com.vmware.nsx.management.rp.BaseProxyDelegate.processServletRequest(BaseProxyDelegate.java:193)

 

Resolution

Please contact Broadcom support for further troubleshooting.

Powered by Wolken Software