vCloud Director SAML/SSO FAIL OMG

2 minute read

:warning: Disclaimer: Use at your own risk!  Be smart and contact VMware GSS if this is a production environment!  This was in my lab so your mileage may vary!

So like many others I deployed vCloud Suite 5.1 into my home lab…all things were perfect until I decided to play with vCD and SSO.  SSO has had quite a stream of people complaining about it and also those saying how great it is.  As of right now, my personal take on it is that I am indifferent.  Anyway, that is not the point of this quick post…the point is:

I BROKE MY VCD LOGINS!!!

So I was receiving a crazy 500 error after attempting login through the vSphere Web Client to vCD.  For those of you not in the know about how to do this, check out the vCloud Director Admin Guide on page 127, “Configure vCloud Director to use vCenter Single Sign On”.  Anywho, after attempting the configuration, which mind you is relatively simple, I somehow managed to bork the configuration.  This resulted in a 500 Internal Server Error exclaiming: Incoming SAML message is invalid.  One would think, “No worries, I will just disable SAML/SSO in the administration portal.”

OMG WTF!!!!  I can’t get into the portal to make the change!

After a cry for help on Twitter late at night with nobody to respond, I decided this morning to dig into the Oracle database.  While looking through I see a table called IDENTITY_PROVIDER…looks like I may have found a place to disable the SAML/SSO authentication method.  VIOLA!  I did find it!  Now to change it…to do you will want to:

  1. Make sure you have a backup of your database.  (I did this in my lab!  Use at your own risk on ANY environment!)
  2. Connect to the Oracle DB.
  3. Run the following SQL: UPDATE VCLOUD.IDENTITY_PROVIDER SET IS_ENABLED = 0 WHERE PROVIDER_TYPE = 'SAML';
  4. Attempt to log back into vCD.

If all goes well, you should be back into vCD!  If you go to Administration->Federation you should see that Use vSphere Single Sign-On is no longer checked!  I am not sure that this is the proper method but it worked for me and I have not had any weird issues since making the change.  Hope this helps!

UPDATE:  Thanks to Luke (@ThepHuck) for doing this on Microsoft SQL.  Here is the script:

UPDATE [vcloud].[dbo].[identity_provider]
SET [is_enabled] = '0'
WHERE provider_type = 'SAML'
GO

UPDATE:  Thanks to Mathew Lodge (@mathewlodge) you can just add login.jsp to the URL to gain local login access like so:  http://vcloud.vsential.lab/cloud/login.jsp

Leave a Comment