This week I decided to jump on the upgrade bandwagon along with a number of other excited people in the vExpert Slack group. While most, if not all, had success stories I unfortunately ran into some post upgrade portal issues.
The upgrade process to version 9.0 was no different from previous releases. I followed my regular upgrade process which went off without issue. When I went to log into the Administrator Portal I was faced with an HTTP Error 500 page. Argh!
HTTP ERROR 500
Problem accessing /cloud/saml/login/alias/vcd. Reason:
javax.servlet.ServletException: org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP at org.springframework.security.saml.SAMLEntryPoint.commence(SAMLEntryPoint.java:161) at org.springframework.security.saml.SAMLEntryPoint.doFilter(SAMLEntryPoint.java:107) at com.vmware.vcloud.web.NestedFilterChain.doFilter(NestedFilterChain.java:45) at com.vmware.vcloud.web.UnfirewalledFilterChainProxy.doFilter(UnfirewalledFilterChainProxy.java:62) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
To my surprise tenant Portals were fine and able to log in. This was Admin Portal specific.
Checking the release notes I knew there was a breaking change with Federation and SAML which required you re-register your organization with your SAML IDP. That’s fine I thought, were not using SAML. And besides the notes seem to indicate you make the change post upgrade.
System administrators cannot use an existing vSphere SSO configuration to authenticate to vCloud Director.
Federation for the System organization has changed in this release. The System organization can now use any SAML IDP, not just the vSphere Single Sign-On service. Existing federation settings for the System organization are no longer valid and are deleted during the upgrade.
Workaround: Re-register your organization with your SAML IDP. See “Enable Your Organization to Use a SAML Identity Provider” in the vCloud Director Administrator’s Guide
Turns out, though, we were in fact using SAML, or at least had it enabled in a non functioning state. So despite the release notes stating that it would be deleted, it appeared to remain in a broken state post upgrade and now was preventing the Portal from loading at all.
The solution turned out to be relatively easy with VMware GSS help. Login to the Admin Portal specifying the full URL to the login.jsp file with your standard System Administrator account.
Navigate to the Administration Page and then to Federation. Untick Use SAML Identity Provider and Apply.
The change should take effect immediately. Logout and back in as you normally would to the portal without the trailing /cloud/login.jsp.
While I’m sure this was a corner case please take note of your SAML settings. If you don’t use it, make sure you don’t have it enabled.