• When configuring Okta as an External Identity Provider in vCenter Server 7.x or 8.x, the setup wizard fails at the final "Review/Finish" step.
  
  
• The vSphere Client displays the error: "Could not create indirect identity provider".
  
  
• The integration cannot be saved or completed despite all previous steps (Client ID, Secret, and VMODL) appearing correct.
  
  
• In the /var/log/vmware/trustmanagement/trustmanagement-svcs.log of the vCenter Server, you see the log entries below.
  
  [INFO] Token expiration date: <date> <time> <year>  is in the past.
[INFO] Authentication failed
java.lang.RuntimeException: Authentication data not found
...
Caused by: com.vmware.vim.sso.client.exception.InvalidTimingException: Token expiration date: <date> <time> <year> is in the past.
        at com.vmware.identity.token.impl.SamlTokenImpl.validateWithinTokenLifePeriod(SamlTokenImpl.java:915) ~[samltoken-1.0.jar:?]
        at com.vmware.identity.token.impl.SamlTokenImpl.validate(SamlTokenImpl.java:573) ~[samltoken-1.0.jar:?]
        at com.vmware.vim.sso.client.DefaultTokenFactory.parseToken(DefaultTokenFactory.java:70) ~[samltoken-1.0.jar:?]
        at com.vmware.vapi.internal.cis.authn.json.JsonSignatureStruct.parseJsonSignatureStruct(JsonSignatureStruct.java:108) ~[vapi-authn-2.100.0.jar:?]
        at com.vmware.vapi.internal.cis.authn.json.JsonSignerImpl.verifySignature(JsonSignerImpl.java:103) ~[vapi-authn-2.100.0.jar:?]
        at com.vmware.vapi.cis.authn.json.JsonSignatureVerificationProcessor.validateSignature(JsonSignatureVerificationProcessor.java:179) ~[vapi-authn-2.100.0.jar:?]
        at com.vmware.vapi.cis.authn.json.JsonSignatureVerificationProcessor.process(JsonSignatureVerificationProcessor.java:134) ~[vapi-authn-2.100.0.jar:?]
        at com.vmware.vcenter.trustmanagement.vapi.impl.setup.RetryOnInvalidSignatureProcessor.process(RetryOnInvalidSignatureProcessor.java:56) ~[libservice.jar:?]
        at com.vmware.vapi.protocol.server.msg.json.JsonServerConnection.processRequest(JsonServerConnection.java:178) ~[vapi-runtime-2.100.0.jar:?]


VMware vCenter Server 7.0.x
VMware vCenter Server 8.0.x

The issue is caused by a Time Skew (Clock Drift) between the vCenter Server and the Okta Identity Provider (IdP).

In the event the token's expiration timestamp is behind the current vCenter system time, the token is perceived as "expired" the moment it is received. As a result, the trustmanagement-svcs service cannot verify the administrative signature required to finalize the IDP object creation.

To resolve this issue, synchronize the time across all the participating components.

1. Correct vCenter Server Time:

   • Log in to the vCenter Appliance Management Interface (VAMI) at https://<vCenter-IP>:5480.

   • Navigate to Time and ensure NTP is configured and the status is "Synchronized".

   • From the SSH shell, verify the current UTC time:

     date -u

2. Correct ESXi Host Time:

   • If the vCenter VM is configured to "Synchronize guest time with host," ensure the underlying ESXi host has accurate NTP settings.

   • In the vSphere Client, go to Host > Configure > System > Time Configuration.

3. Validate Okta Side:

   • Ensure the Okta tenant is not experiencing significant drift. Check the Okta System Logs for the time the assertion was issued.

4. Restart Security Token Service (STS):

   • Once the time is synchronized, restart the STS service to clear any cached invalid tokens using the command below.

     service-control --restart vmware-stsd

5. Re-run the Wizard:

   • Delete the failed integration attempt in the vSphere Client and restart the Okta configuration wizard.