• You go to Settings > Identity and Access Management > VCF SSO and click 'configure' and enter the Identity Broker Issuer, Client ID, and Client Secret from VCF Ops. then click 'Test Connection', click 'Accept' for the certificate, and it says "Something Went Wrong. Please try again or contact support." 
• On Platform node1 if you go to /var/log/arkin/restapilayer/ you may see entries similar to the following:

2026-03-11T14:11:16.000094Z INFO restapilayer 4676 [netw@4413 class="restapilayer.deploymentdef.Status" thread="management-resource-exec-2" method="readFromStore" line="77"] Successfully read steps from store
2026-03-11T14:11:16.000103Z WARNING restapilayer 4676 [netw@4413 class="vnera.restapilayer.AuthRealmManager" thread="management-resource-exec-4" method="getVIDMCertificateChangeList" line="1324"] Failed to get certificate changes
2026-03-11T14:11:16.000104Z ERROR restapilayer 4676 [netw@4413 class="vnera.restapilayer.AuthRealmManager" thread="management-resource-exec-4" method="isSsoConfigured" line="1591"] Sso is not yet configured - _sso_customer_domain_id key not found in db

or

Caused by: com.nimbusds.oauth2.sdk.GeneralException: The returned issuer doesn't match the expected: https://xxx-xxxx.xxxxxx.local/acs/t/CUSTOMER/
        at com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata.resolve(OIDCProviderMetadata.java:1837) _[oauth2-oidc-sdk-11.10.1.jar:11.10.1]
        at com.vnera.restapilayer.sso.client.SsoClientImpl.getSsoMetadata(SsoClientImpl.java:512) _[restapilayer-0.001-SNAPSHOT.jar:_]

VCF Operations for Networks 9.0.2.0

The 'issuer' field in the VCF SSO configuration is not correct

 Run this to see what issuer is returned on Platform node1 as the Support user:

curl -k https://xxxxxxxxxxxxx/acs/t/CUSTOMER/.well-known/openid-configuration

Look at the 'issuer' field in the response and compare it exactly with the URL entered in the VCF SSO configuration, it must be an exact match
(This includes checking trailing slashes, casing, and scheme all match exactly between the two.)