When attempting to configure OpenID Connect (OIDC) in VCF Operations, the setup fails with the following symptoms:

• During the initial setup of Just-In-Time (JIT) provisioning, the Administration > Control Panel > Access Control > Import from source > VCF-SSO cannot be located when attempting to add required group memberships.
  
  
• When configuring group pre-provisioning under Administration > Control Panel > Access Control > Import from source, the system displays 0 members after the group is added.
  
  
• It is observed that the vCenter local SSO domain name and the Active Directory (AD) domain name are identical (e.g., both are example.local).
  
  
• Although the OIDC identity provider is successfully configured, VCF Operations authentication is failing due to a domain naming conflict.

VMware Cloud Foundation (VCF) 9.x
vCenter 9.x

The configuration fails because the vCenter Single Sign-On (SSO) domain name is identical to the Active Directory (AD) domain name.

The identity source name must be strictly unique. If the vCenter SSO domain matches the AD domain being used for identity integration, the system cannot distinguish between the local SSO and the external directory, leading to failed member discovery and authentication errors.

To resolve this conflict and complete the OIDC configuration, the vCenter local SSO domain name must be unique. Choose one of the following two options:

1. Redeploy the vCenter
   • Redeploy the vCenter using an SSO domain name that is unique from the Active Directory domain.
2. Perform a Domain Repoint
   • Change the existing vCenter SSO domain name to a different, unique SSO domain using the cmsso-util utility.

• • Prerequisites and Warnings:
    • DNS: Ensure the vCenter has valid forward and reverse DNS entries to support the change before attempting the repoint.
      
      
    • Snapshots: Take a non-memory snapshot of the vCenter.
      
      
    • Dependencies: Review the environment for any products with dependencies on the existing SSO domain. Other products may require reconfiguration or redeployment if the SSO domain is changed.
      
      
    • Reference document: Repointing vCenter Server to another SSO Domain
      
      
  • Steps to Repoint the Domain
    • SSH to the vCenter and login with root credentials.
      
      
    • Check the current local SSO domain name to confirm the conflict: /usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhost
      
      
    • Execute the following command to change the SSO domain (replace example.local with the unique destination domain name):
      cmsso-util domain-repoint -m execute --src-emb-admin Administrator --dest-domain-name new-sso-domain.local

Reference document: vCenter can't join Active Directory domain using the same domain name as vCenter Single Sign-On (SSO)