When attempting to log in to the VMware Cloud Foundation (VCF) Automation VM Apps organization via OpenID Connect (OIDC), the login fails with the error "Your single sign-on attempt failed".

The following stack trace is observed in the Tenant Manager logs (/services-logs/tenant-manager-0/file-logs/vcloud-container-debug.log):

YYYY-MM-TT HH:MM:SS,653 | DEBUG    | pool-jetty-375672         | OAuthFilter                    | Could not obtain access token | requestId=###################,request=GET https://<VIDM_FQDN>/login/oauth,requestTime=########,remoteAddress=##.##.##.##:45000,userAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ...,accept=text/html application/xhtml+xml app
lication/xml;q 0.9 image/avif image/webp image/apng */*;q 0.8 application/signed-exchange;...,Host=<VIDM_FQDN>
org.springframework.security.oauth2.core.OAuth2AuthorizationException: [invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: I/O error on POST request for "https://<VIDM_FQDN>/SAAS/auth/oauthtoken": certificate_unknown(46); nested exception is org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)
        at org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient.getResponse(DefaultAuthorizationCodeTokenResponseClient.java:98)
....
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://<VIDM_FQDN>/SAAS/auth/oauthtoken": certificate_unknown(46); nested exception is org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)
        at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:791)
.....
Caused by: org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)
        at org.bouncycastle.jsse.provider.ProvSSLSocketDirect.checkServerTrusted(ProvSSLSocketDirect.java:135)
........
Caused by: java.security.cert.CertificateException: Unable to construct a valid chain
        at org.bouncycastle.jsse.provider.ProvX509TrustManager.validateChain(ProvX509TrustManager.java:317)
..........
Caused by: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
        at org.bouncycastle.jcajce.provider.PKIXCertPathBuilderSpi_8.engineBuild(Unknown Source)

VCF Automation 9.x

VMware Identity Manager 3.3.7

The Tenant Manager does not trust the VMware Workspace ONE Access (vIDM) SSL certificate chain. This typically occurs when OIDC is configured via API, bypassing the manual certificate trust acceptance process required by the graphical user interface.

To resolve this issue, manually trust the vIDM certificate through the VCF Automation UI:

1. Log in to the VM Apps Organization with administrative privileges.

2. Navigate to Infrastructure > Administration > Identity Providers > OIDC.

3. Select the configured OIDC provider and click Edit.

4. Proceed by clicking Next.

5. When the certificate validation dialog appears, review the certificate details and click Trust (or Accept).

6. Finish the wizard to save the configuration.

7. Verify that single sign-on attempts are now successful.