Home > vCloud Automation Center > vCAC 6.1 SSO configuration gotcha

vCAC 6.1 SSO configuration gotcha


This drives me crazy.  An FQDN is not case-sensitive.  SERVER.DOMAIN.TLD is the same as sERvEr.dOMaIn.tlD.  VMware has added significantly to the server certificate authenticity checking in version 6.1.  When configuring the SSO settings in the VAMI, it not only connects and validates the certificate, but also checks the host name against the SAML ticket.  In general, more security and validation is a good thing, but in this case, the code requires that the hostname you entered is exactly the value in the SAML ticket.  If the spelling and name do not exactly match, the step returns Invalid “Host Settings”.  Worse, the value it states is expected is NOT the value from the SAML ticket.

Expecting the same value

Wait… what?!

To make sure you enter the correct value, browse to https://ssoserver:7444/websso/SAML2/Metadata/vsphere.local and save the vsphere.download file when prompted.  Open the vsphere.download file in notepad or some text editor.  Locate the entityID attribute of the EntityDescriptor element.  That is the name and spelling required.

<EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ...>
<vmes:ExportedBy>Exported by VMware Identity Server (c) 2012
<EntityDescriptor entityID="https://VCSSO.ragazzi.lab:7444/websso/SAML2/Metadata/vsphere.local">
<IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

In my example, once I submitted the SSO Host name as VCSSO.ragazzi.lab, it was accepted and configuration continued.

I’m hoping this simple case-sensitivity issue is corrected in the next patch.

  1. ChristianKlose
    09/09/2014 at 3:51 pm

    that’s not funny – for me it was https://ssoServerName:7444:7444/websso

    • JonK
      09/11/2014 at 2:24 am

      Yes had the same problem. Didn’t see the new documentation saying that you don’t need to append the port on the SSO hostname in the ID appliance anymore. Now all fixed on my install (bad case of RTM).

  2. Bryan Erwin
    09/12/2014 at 9:28 am

    I just ran into this issue and your resolution worked perfect. Thanks so much. I was pulling my hair out.

  3. Ompa
    09/14/2014 at 11:59 am

    Same inte 6.1 =/

    • Ompa
      09/14/2014 at 12:00 pm


  4. 09/16/2014 at 1:10 pm

    Nice catch bud, just saved me a support call.

  5. 09/17/2014 at 6:20 am

    Thanks alot for the post. I had a ipnumber in the metadata 😦

    changed the following file with the right data :

    Everything works like a charm now.

    credits to this post http://gosddc.com/articles/vcac-and-vcenter-sso-heads-up-wrong-redirect-after-changing-vcenter-ip/

  1. 11/05/2014 at 1:32 pm
Comments are closed.
%d bloggers like this: