Hi Guys,
I am trying to configure SSO into VCSA using a third-party IDP provider that supports OIDC. On the last step of the VCSA "Change Identity Provider" wizard I am getting the following error:
I'm at a bit of a loss on how to debug this error. What I know so far:
Any help to pull this over the finish line would be much appreciated.
Hi @leejohnc
thank you for the confirmation.
I was just confused because you marked the Azure OAuth 2.0 authorization endpoint (v1) URL as important in you description as well.
Did you encounter issues with how the group claim from Azure is named? When looking at the response from Azure, the claim for groups is named 'Groups'. When using ADFS, the documentation has you name the claim 'Group' without the 's'. I can get SSO working with ADFS but not with Azure and as far as I can tell the name of the groups claim is why its not working with Azure. The response from Azure AD has the groups but vCenter ignores them, resulting in an error of "Unable to login because you do not have permission on any vCenter Server systems connected to this client." You can also see the constructed JWT with empty groups by tailing the /var/log/vmware/sso/tokenservice.log when logging in. The groups are empty when configured to use Azure AD, and are properly parsed when using ADFS.
Hi @MRHOUSZ, yes this is true. You need to change the name of the claim to group (without "s") in the Azure AD App registration. You can do this directly in the manifest of the application:
"oauth2RequirePostResponse": false,
"optionalClaims": {
"idToken": [
{
"name": "group",
"source": null,
"essential": false,
"additionalProperties": [
"dns_domain_and_sam_account_name",
"emit_as_roles"
]
}
],
"accessToken": [
{
"name": "group",
"source": null,
"essential": false,
"additionalProperties": [
"dns_domain_and_sam_account_name",
"emit_as_roles"
]
}
],
"saml2Token": [
{
"name": "group",
"source": null,
"essential": false,
"additionalProperties": [
"dns_domain_and_sam_account_name",
"emit_as_roles"
]
}
]
},