"SAML authentication failed for this organization.Use integrated authentication" when SAML Users attempt to log into vCloud Director.
Article ID: 309152
Updated On:
Products
VMware Cloud Director
Issue/Introduction
Symptoms:
- "SAML authentication failed for this organization.Use integrated authentication" error is seen when logging into vCloud Director as a new SAML user.
- "User login failed'' is seen in the vCloud Director UI when reviewing the System > Manage & Monitor > Organizations > Affected Organization Name > Logs section.
- Existing and local Users are able to login without any issues.
- The user encounters this issue in all Organizations with their SAML source configured.
- In /opt/vmware/vcloud-director/logs/vcloud-container-debug.log, there are errors of the form:
2020-01-01 10:23:07,443 | DEBUG | pool-jetty-7039254 | SamlAuthenticationSuccessHandler | Login failure details for user [email protected] | requestId=1fcc2a34-ec56-7fd8-90e0-1b234fe567ca8,request=POST https://vcd.example.com/cloud/org/exampleOrg/saml/SSO/alias/vcd,requestTime=1578910987410,remoteAddress=
...
org.hibernate.exception.SQLGrammarException: could not execute query
at org.hibernate.exception.SQLStateConverter.convert(SQLStateConverter.java:90)
at org.hibernate.exception.JDBCExceptionHelper.convert(JDBCExceptionHelper.java:66)
at org.hibernate.loader.Loader.doList(Loader.java:2231)
at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2125)
at org.hibernate.loader.Loader.list(Loader.java:2120)
...
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.postgresql.util.PSQLException: ERROR: syntax error at or near ")"
Position: 136
at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2477)
at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2190)
at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:300)
at org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:428)
...
org.hibernate.exception.SQLGrammarException: could not execute query
at org.hibernate.exception.SQLStateConverter.convert(SQLStateConverter.java:90)
at org.hibernate.exception.JDBCExceptionHelper.convert(JDBCExceptionHelper.java:66)
at org.hibernate.loader.Loader.doList(Loader.java:2231)
at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2125)
at org.hibernate.loader.Loader.list(Loader.java:2120)
...
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.postgresql.util.PSQLException: ERROR: syntax error at or near ")"
Position: 136
at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2477)
at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2190)
at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:300)
at org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:428)
- In the PostgreSQL database logs for vCloud Director Appliances, found in /var/vmware/vpostgres/current/pgdata/log/postgresql-DayoftheWeek.log, there are errors of the form:
2020-01-01 10:16:24.712 UTC [29273] ERROR: syntax error at or near ")" at character 136
2020-01-01 10:16:24.712 UTC [29273] STATEMENT: /* Method: unknown */ /* criteria query */ select count(*) as y0_ from grp this_ where this_.source_id=$1 and this_.name_in_source in ()
2020-01-01 10:16:24.712 UTC [29273] STATEMENT: /* Method: unknown */ /* criteria query */ select count(*) as y0_ from grp this_ where this_.source_id=$1 and this_.name_in_source in ()
- In vCloud Director instances using an external MS SQL server, the logs show errors of the form:
Caused by: java.sql.SQLException: Incorrect syntax near ')'.
Environment
VMware Cloud Director for Service Provider 9.x
Cause
During the SAML login flow, vCloud Director attempts to determine whether the authenticated user has been imported directly or at least one group to which the user belongs has been imported into the target Organization.
The above error condition occurs when the Organization Administrator has neither imported the SAML user directly with a role nor have they imported at least one SAML group to which the user belongs into the target Organization, which is a requirement.
Resolution
Follow steps from the Enable Your Organization to Use a SAML Identity Provider section of the vCloud Director documentation to configure SAML authentication.
Import the desired users and groups using the steps outlined in the Managing Users, Groups and Roles section of the vCloud Director documentation.
Note: If the same user has different usernames, for example username or username@vcd.example.com, the username with which the SAML login is carried out should be imported with a role assigned to it. Alternatively a group where the correct username is present should be imported into vCloud Director prior to login.
Import the desired users and groups using the steps outlined in the Managing Users, Groups and Roles section of the vCloud Director documentation.
Note: If the same user has different usernames, for example username or username@vcd.example.com, the username with which the SAML login is carried out should be imported with a role assigned to it. Alternatively a group where the correct username is present should be imported into vCloud Director prior to login.
Feedback
Yes
No
Powered by
