This is usually a symptom of SAML not working properly between the Connection Servers and Workspace ONE Access.
Here are a few things to try ( in order):
How to check the logs.
Check the Connection Server logs in C:\ProgramData\VMware\VDM\logs.
Look a the latest debug log and search for messages related to SAML.
On the WS1 Connector - C:\VMware\VMwareIdentityManager\Connector\opt\vmware\horizon\workspace\logs. Check connector.log
Has this ever worked or did this just stop working?
That would look like the SAML Authenticator is not defined properly on the Horizon Connection Server(s).
Looks like the error described in https://kb.vmware.com/s/article/2053290 and this page https://vdr.one/vmware-identity-manager-and-horizon-7-saml-expects-credentials-from-another-server/
When entering the SAML 2.0 Authenticator the only fields that need to be filled in are the Label and the Metadata URL. The Metadata URL should follow the format https://my.domain.com/SAAS/API/1.0/GET/metadata/idp.xml
Replace my.domain.com with the FQDN you set for WS1 Access.
Same issue here with no idea what will resolve this.
So far we have Rebooted UAG, rebooted connection server, checked time sync between UAG and connection server without any difference in behavior.
No changes in our environment to cause this.
Copied meta data url directly from saas workspace console only. Its also matches syntax shared by you. Tested on-prem version in the same infrastructure works fine. Seems some saas certificate missing.While i add saas meta data url to connection server console i need to manually trust the certifcate .Do we need to open any outbound port from connection server?