VMware Cloud Community
Ales
Contributor
Contributor
‎02-16-2016 12:15 AM

VROPS and vSphere SSO.

I have following version:
vCenter Server:                        6.0 Update1 (Build 3018523), Linux VM Appliance
vRelize Operation Manager:    6.2 (Build 3445568), VM Appliance

I added to vROPS as a "Authentication Source" of SSO (from PSC). In "Access Control" I imported group from SSO.
I tried to log into vROPS, and I use the SSO account. I get error "Failed to log in with Single Sign-On service".
Security ticket is correct. After an unsuccessful login vROPS, the I connect the "WEB Clienta" without entering user credentials.

Why am I not able to account from SSO login to vROPS?

Thank

0 Kudos
2 Replies
Ales
Contributor
Contributor
‎02-24-2016 03:38 AM

I found in web-1.log following

2016-02-24 12:11:29,704 INFO [ajp-bio-127.0.0.1-8009-exec-45] com.vmware.vcops.sso2.web.SsoValidationState.validate - Validating SAMLResponse..
2016-02-24 12:11:29,733 INFO [ajp-bio-127.0.0.1-8009-exec-45] com.vmware.identity.websso.client.ValidationState.validateDestination - Validating request destination: HttpservletRequest destination=https://srv304vdi.dom01.poj/ui/SsoClient/SSO/vc-ops-cluster-ss_df4592ff-d034-447e-ba55-322d6c29ae1fS... message destination=https://srv304vdi.dom01.poj/ui/SsoClient/SSO/vc-ops-cluster-ss_df4592ff-d034-447e-ba55-322d6c29ae1f
2016-02-24 12:11:29,733 INFO [ajp-bio-127.0.0.1-8009-exec-45] com.vmware.vcops.sso2.web.SsoValidationState.validateAssertion - Validating assertion..
2016-02-24 12:11:29,734 INFO [ajp-bio-127.0.0.1-8009-exec-45] com.vmware.identity.websso.client.SamlUtils.validateRequestSignature - Verifying SAML message signature..
2016-02-24 12:11:29,734 INFO [ajp-bio-127.0.0.1-8009-exec-45] com.vmware.vcops.sso2.web.SsoValidationState.parseAssertion - Parsing assertion..
2016-02-24 12:11:29,742 INFO [ajp-bio-127.0.0.1-8009-exec-45] com.vmware.identity.websso.client.SamlUtils.ValidateConditions - Validate assertion condition with clock tolerance = 600
2016-02-24 12:11:29,742 INFO [ajp-bio-127.0.0.1-8009-exec-45] com.vmware.vcops.sso2.web.SsoValidationState.parseAssertion - NameID: Administrator@VSPHERE.CSOBP
2016-02-24 12:11:29,742 INFO [ajp-bio-127.0.0.1-8009-exec-45] com.vmware.vcops.sso2.web.SsoValidationState.parseAssertion - NameIDFormat: http://schemas.xmlsoap.org/claims/UPN
2016-02-24 12:11:29,743 INFO [ajp-bio-127.0.0.1-8009-exec-45] com.vmware.vcops.sso2.web.SsoValidationState.validateAssertion - Successfully validated SSO Assertion
2016-02-24 12:11:29,743 INFO [ajp-bio-127.0.0.1-8009-exec-45] com.vmware.vcops.sso2.web.SsoValidationState.validate - Successfully validated received SAMLResponse
2016-02-24 12:11:29,755 INFO [ajp-bio-127.0.0.1-8009-exec-45] com.vmware.identity.token.impl.SamlTokenImpl.<init> - SAML token for SubjectNameId [value=Administrator@VSPHERE.CSOBP, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from Element
2016-02-24 12:11:29,763 INFO [ajp-bio-127.0.0.1-8009-exec-45] com.vmware.identity.token.impl.X509TrustChainKeySelector.verifyTrustedPathExists - Failed to find trusted path to signing certificate <CN=ssoserverSign>
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
....
        ....
2016-02-24 12:11:29,763 ERROR [ajp-bio-127.0.0.1-8009-exec-45] com.vmware.identity.token.impl.SamlTokenImpl.validateSignature - Signature validation failed
javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key
....
        ....
2016-02-24 12:11:29,764 ERROR [ajp-bio-127.0.0.1-8009-exec-45] com.vmware.vcops.sso2.web.WebSSOUtil.getBearerToken - Found error in getBearerToken: com.vmware.vim.sso.client.exception.MalformedTokenException: Signature validation failed
        ....
        ....
Caused by: javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key
....
        ....
2016-02-24 12:11:29,765 ERROR [ajp-bio-127.0.0.1-8009-exec-45] com.vmware.vcops.ui.action.LoginAction.proceedSSOLogin - java.lang.NullPointerException
....
....

2016-02-24 12:11:29,765 ERROR [ajp-bio-127.0.0.1-8009-exec-45] com.vmware.vcops.ui.util.MainPortalFilter.doFilter - Could not authenticate with SAML Token
2016-02-24 12:11:45,360 INFO [ajp-bio-127.0.0.1-8009-exec-45] com.vmware.vcops.bridge.client.DataRetrieverClient.execute - Function: getUserData return value is not type of ResultBase and will be skipped

Ales ! ! ! !

0 Kudos
lannguyen
VMware Employee
VMware Employee
‎03-02-2016 12:09 PM

Did you try to import the User individually?   Here are the steps to setting up SSO and importing a User.

http://www.vmignite.com/2016/03/vrops-6-2-how-to-import-users-from-vcenter-sso/

Personal blog VMignite.com
0 Kudos