SSO Configuration Fails for VCF Automation Appliance with error "Failed to create auth source for management component VCF_AUTOMATION"
search cancel

SSO Configuration Fails for VCF Automation Appliance with error "Failed to create auth source for management component VCF_AUTOMATION"

book

Article ID: 437487

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

  • From VCF Operations > Fleet Management > Identity & Access > VCF Management > Automation Appliance, attempting to configure SSO for the VCF Automation Appliance fails, and the process returns the following error: "Failed to create auth source for management component VCF_AUTOMATION."



  •  Checking /storage/log/vcops/log//vcops-bridge.log in VCF Operations

    ERROR vcfops-bridge 2971190 [ops@4413 threadId="1330" threadName="ServerConnection on port 10000 Thread 8"] [com.vmware.vcops.bridge.server.vidb.api.impl.authsource.ManagementComponentConfigurator.handleCreation] - Exception while configuring auth source for component: VCF_AUTOMATION
    org.springframework.web.client.HttpClientErrorException$BadRequest: 400 Bad Request: "{"minorErrorCode":"VCD_50259","message":"A non-vIDB OIDC IDP has already been configured for System org","stackTrace":"com.vmware.vcloud.api.rest.toolkit.exceptions.BadRequestRestApiException: A non-vIDB OIDC IDP has already been configured for System org\n\tat com.vmware.vcloud.api.rest.openapi.impl.vcf.vidb
    .VidbRegistrationApiHandler.validateNoExistingNonVidbOidcSettings(VidbRegistrationApiHandler.java:160)\n\tat com.vmware.vcloud.api.rest.openapi.impl.vcf.vidb.VidbRegistrationApiHandler.configureVidbIntegration(VidbRegistrationApiHandler.java:104)\n\tat java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\n\tat java.base/jdk.internal.reflect.NativeMethodAccessorImpl.in
    voke(NativeMethodAccessorImpl.java:62)\n\tat java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:566)\n\tat org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344)\n\tat org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(R

Environment

VCF Automation 9.0

VCF Identity Broker 9.0

VCF Operations 9.0 

Cause

The underlying architectural constraint dictating a single identity provider mapping for the foundational System organization is structurally enforced across the VCF 9.0 suite (Operations and Automation). Tenant-specific OIDC Identity Providers must be mapped directly to the target tenant Organization to prevent System org conflicts.

Resolution

  • Login to the VCFA Provider Portal go to Administration->Identity Provider and check if OIDC is already configured, if it is delete the OIDC configuration.

    Note: When the OIDC configuration is deleted, the user access is lost and old user privileges will be lost. This can be followed during initial setup but in case this is being configured after the solution has been deployed for sometime, inform the customer about the loss of privileges. 

  • Now configured SSO for the VCF Automation Appliance through VCF Operations.
Powered by Wolken Software