When attempting to log in to VMware Cloud Foundation (VCF) Operations using VCF SSO, the login fails with the following error in the user interface: "Failed to log in with VCF SSO service."

Additional symptoms include:

• SSO continues to function correctly for other components such as vSphere, Automation, and VCF Operations for Logs.
• The issue often appears following an upgrade to VCF 9.0.2.0.
• Attempts to import users or groups from the VCF Admin Control Panel fail with 400 error codes when looking at Browser Developer Tools
• Restart of analytics service and taking the cluster offline then online fails to resolve
  
  KB - Login to VMware Cloud Foundation Operations fails with “Failed to login with VCF SSO service. JWT token is invalid” 

The following error snippets are found in the access-control.log within the Identity Broker (vIDB) log bundle: 

com.vmware.vidm.accesscontrol.resource.auth.TokenResource - Failed during issuing token java.util.concurrent.CompletionException: java.util.concurrent.CompletionException:

com.vmware.vidm.accesscontrol.exceptions.oauth2.UnauthorizedClientException: oauth2.authorization.credentials.invalid com.vmware.vidm.accesscontrol.metrics.ExceptionMetricsPublisher - Exception published of type UnauthorizedClientException

VCF Operations 9.0.x

The issue is caused by a credential mismatch or stale OAuth2 client registration for the VCF Operations component within the VCF Identity Broker. The UnauthorizedClientException: oauth2.authorization.credentials.invalid indicates that the specific OAuth2 client ID or secret used by the Operations appliance is no longer recognized as valid by the identity provider.

To resolve this issue, the VCF SSO registration for the Operations component must be refreshed. Follow these steps:

1. Log in to the VCF Operations interface with administrative privileges.
2. Navigate to Fleet Management > Identity & Access > VCF Management > Operations Appliance.
3. Click Edit and review the warning message on the popup.
4. Toggle VCF SSO Enabled to off position.
5. Click Continue and wait for the configuration to complete.
6. Reconfigure SSO for the Operations component and select the existing Identity Broker from the dropdown menu 
7. Navigate to Administration > Control Panel > Access Control > User Groups.
8. Import the required SSO group(s).
9. Assign the appropriate role and object scope to the newly imported SSO group(s).
10. Attempt to log in to the VCF Operations URL using VCF SSO to verify the fix.

How to Reset SSO in VCF 9.0

Login to VCF Operations using SSO fails with "Failed to log in with VCF SSO service. JWT token is expired."