Login to VC and check if all vAPP vms and View Broker Vms show that they are syncing guest time with host.
VM>Settings>Options>VMware Tools> synchronize guest time with host.
This should take care oftime drifts.
Did you enable SAML authentication on View connection server?
If so, you may need to do sync the pools again from connector.
https://<connector hostname>/hc/admin/
I'm having the same problem. Unable to launch the View desktop. Please contact your Administrator for help (Invalid SAML credentials).
I removed the SAML authentication settings from Horizon View. Added it back in. I sync'd the pools up and still receive the same error.
Check following :
1. If View Dashboard is showing "Green" for SAML authenticator you added
2. In Horizon Connector, FQDN for client access is pointing correctly to View server where SAL auth is set. If FQDN is load balancer for all View Servers, ensure all View servers are cofigured to this SAML authenticator
It's showing green on the dashboard. I don't have a load balancer and the URL is set using the FQDN to the view servers.
Can you check View Log to see what it's complaining about?
Also ensure that there is no time lag between View and Horizon.
You can check Horizon vApp current time and relative drift information from :
https://Configurator FQDN/cfg/system
The time is within 30 seconds from the vApp and the connection brokers. The error that was logged on the connection broker is: SAML access denied because of invalid assertion/artifact.
Is there any other error informarion in View log. Look for pattern "Assertion XXX is not valid before …” OR “Assertion XXX is no longer valid. …”
OR “… Too late by x milliseconds ...
If you find above pattern, it means 30 seconds drift is cause of the issue.
if you dont find this patterm, check connector.log and provide error information
Unbelievable... it was due to time issues:
DEBUG (0B14-0CD4) <TP-Processor1> [SamlAuthFilter] (SESSION:a35e_***_dadd) Problem determining UPN from SAML Auth: com.vmware.vdi.broker.filters.SamlAuthFilter.a(SourceFile:269)
com.vmware.vdi.common.saml.SamlException: Assertion _0b03ef16869b9cf709346dcb358b856b is not valid before 2013-04-04T00:56:48.737Z. Too early by 12401 milliseconds (including 15000 ms leeway)
It works now. I just want to point out that the time was off by 12.4 seconds. I see this happening again.
Is Horizon and View syncing time from same NTP server? Difference in time can lead to rejection of SAML
The DC's and ESX hosts all use the same ntp server.
Login to VC and check if all vAPP vms and View Broker Vms show that they are syncing guest time with host.
VM>Settings>Options>VMware Tools> synchronize guest time with host.
This should take care oftime drifts.
The time was slightly off on all ESX hosts, a simple synch with the NTP server fixed the issue.
This applicaiton is very sensitive to having the correct time on all the servers.