VMware Cloud Community
DroboDeveloper
Contributor
Contributor
‎06-07-2021 06:52 AM

Getting java.io.IOException: HTTP response code: 526 when configuring OIDC SSO in VCSA

Hi Guys,

I am trying to configure SSO into VCSA using a third-party IDP provider that supports OIDC. On the last step of the VCSA "Change Identity Provider" wizard I am getting the following error:

DroboDeveloper_1-1623073740181.png

 

I'm at a bit of a loss on how to debug this error. What I know so far:

  1. The IDP has a cert signed by a publicly trusted Certificate Authority.
  2. The OIDC settings are all configured correctly.
  3. The LDAP settings are all configured correctly.
  4. The VCSA is net-new. No other Identity Sources configured other than the default System Domain.
  5. VCSA v7.0.2.00100

Any help to pull this over the finish line would be much appreciated.

Labels (1)
Labels
0 Kudos
22 Replies
omifreak
Contributor
Contributor
‎05-12-2022 07:06 AM

Hi @leejohnc 

thank you for the confirmation. 
I was just confused because you marked the Azure OAuth 2.0 authorization endpoint (v1) URL as important in you description as well. 

0 Kudos
MRHOUSZ
Contributor
Contributor
‎08-23-2022 07:25 PM

Did you encounter issues with how the group claim from Azure is named? When looking at the response from Azure, the claim for groups is named 'Groups'. When using ADFS, the documentation has you name the claim 'Group' without the 's'. I can get SSO working with ADFS but not with Azure and as far as I can tell the name of the groups claim is why its not working with Azure. The response from Azure AD has the groups but vCenter ignores them, resulting in an error of "Unable to login because you do not have permission on any vCenter Server systems connected to this client." You can also see the constructed JWT with empty groups by tailing the /var/log/vmware/sso/tokenservice.log when logging in. The groups are empty when configured to use Azure AD, and are properly parsed when using ADFS. 

0 Kudos
omifreak
Contributor
Contributor
‎09-16-2022 06:09 AM

Hi @MRHOUSZ, yes this is true. You need to change the name of the claim to group (without "s") in the Azure AD App registration. You can do this directly in the manifest of the application:

 

	"oauth2RequirePostResponse": false,
	"optionalClaims": {
		"idToken": [
			{
				"name": "group",
				"source": null,
				"essential": false,
				"additionalProperties": [
					"dns_domain_and_sam_account_name",
					"emit_as_roles"
				]
			}
		],
		"accessToken": [
			{
				"name": "group",
				"source": null,
				"essential": false,
				"additionalProperties": [
					"dns_domain_and_sam_account_name",
					"emit_as_roles"
				]
			}
		],
		"saml2Token": [
			{
				"name": "group",
				"source": null,
				"essential": false,
				"additionalProperties": [
					"dns_domain_and_sam_account_name",
					"emit_as_roles"
				]
			}
		]
	},

 

 

0 Kudos