VMware Cloud Community
frostyk
Enthusiast
Enthusiast

SSO group import not pulling group members

I've deployed vROM 6.4, configured vCenter SSO (SSO SAML) as an Authentication source, and imported a security group from my AD domain via that identity source.  That vCenter SSO is joined to the domain so I have no problem importing domain groups.  Under Access Control -> Groups I can see the AD domain security group there and I have given it permissions.  However, under the members column it say 0.  When a user who is a member of that imported group tries to log in they get "Failed to log on with single-sign-on service.  The user XXXX is not a member of any SSO group or other imported groups".  I can say with certainty that these user are members of the AD security group I have imported into vROM via SSO SAML.

When I add a user from the vsphere.local domain that imports fine, shows us 0 members at first, and then if I log in as a local SSO user it works and the members go up to 1.  So groups imported from local SSO work fine, but not from the AD domain.  Users that log into vCenter using the same AD credentials are fine and are granted the permissions that their group membership entails.

Am I missing something here?  Do I need to do something else other than import the AD group from SSO and give it permissions?

Reply
0 Kudos
1 Reply
myxyz123
Contributor
Contributor

Hello,

I've the same issue and found a workaround:

1. In vCenter SSO/Users and Groups I create a new (local domain) group

2. In this group I add my AD security group

3. In vROPS I import this SSO local domain group (not the AD group).

This is annoying but it works...

Reply
0 Kudos