Posts Tagged ‘vCAC 6.1’

vCAC 6.1 SSO configuration gotcha

This drives me crazy.  An FQDN is not case-sensitive.  SERVER.DOMAIN.TLD is the same as sERvEr.dOMaIn.tlD.  VMware has added significantly to the server certificate authenticity checking in version 6.1.  When configuring the SSO settings in the VAMI, it not only connects and validates the certificate, but also checks the host name against the SAML ticket.  In general, more security and validation is a good thing, but in this case, the code requires that the hostname you entered is exactly the value in the SAML ticket.  If the spelling and name do not exactly match, the step returns Invalid “Host Settings”.  Worse, the value it states is expected is NOT the value from the SAML ticket.

Expecting the same value

Wait… what?!

To make sure you enter the correct value, browse to https://ssoserver:7444/websso/SAML2/Metadata/vsphere.local and save the file when prompted.  Open the file in notepad or some text editor.  Locate the entityID attribute of the EntityDescriptor element.  That is the name and spelling required.

<EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ...>
<vmes:ExportedBy>Exported by VMware Identity Server (c) 2012
<EntityDescriptor entityID="https://VCSSO.ragazzi.lab:7444/websso/SAML2/Metadata/vsphere.local">
<IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

In my example, once I submitted the SSO Host name as VCSSO.ragazzi.lab, it was accepted and configuration continued.

I’m hoping this simple case-sensitivity issue is corrected in the next patch.