vCloud Director SAML/SSO FAIL OMG

Disclaimer: Use at your own risk!  Be smart and contact VMware GSS if this is a production environment!  This was in my lab so your mileage may vary!

So like many others I deployed vCloud Suite 5.1 into my home lab…all things were perfect until I decided to play with vCD and SSO.  SSO has had quite a stream of people complaining about it and also those saying how great it is.  As of right now, my personal take on it is that I am indifferent.  Anyway, that is not the point of this quick post…the point is:

I BROKE MY VCD LOGINS!!!

 

So I was receiving a crazy 500 error after attempting login through the vSphere Web Client to vCD.  For those of you not in the know about how to do this, check out the vCloud Director Admin Guide on page 127, “Configure vCloud Director to use vCenter Single Sign On“.  Anywho, after attempting the configuration, which mind you is relatively simple, I somehow managed to bork the configuration.  This resulted in a 500 Internal Server Error exclaiming: Incoming SAML message is invalid.  One would think, “No worries, I will just disable SAML/SSO in the administration portal.”

 OMG WTF!!!!  I can’t get into the portal to make the change! 

 

After a cry for help on Twitter late at night with nobody to respond, I decided this morning to dig into the Oracle database.  While looking through I see a table called IDENTITY_PROVIDER…looks like I may have found a place to disable the SAML/SSO authentication method.  VIOLA!  I did find it!  Now to change it…to do you will want to:

  1. Make sure you have a backup of your database.  (I did this in my lab!  Use at your own risk on ANY environment!)
  2. Connect to the Oracle DB.
  3. Run the following SQL: UPDATE VCLOUD.IDENTITY_PROVIDER SET IS_ENABLED = 0 WHERE PROVIDER_TYPE = ‘SAML’;
  4. Attempt to log back into vCD.

If all goes well, you should be back into vCD!  If you go to Administration->Federation you should see that Use vSphere Single Sign-On is no longer checked!  I am not sure that this is the proper method but it worked for me and I have not had any weird issues since making the change.  Hope this helps!

UPDATE:  Thanks to Luke (@ThepHuck) for doing this on Microsoft SQL.  Here is the script:

1
2
3
4
UPDATE [vcloud].[dbo].[identity_provider]
SET [is_enabled] = '0'
WHERE provider_type = 'SAML'
GO

UPDATE:  Thanks to Mathew Lodge (@mathewlodge) you can just add login.jsp to the URL to gain local login access like so:  http://vcloud.vsential.lab/cloud/login.jsp

Related
The following two tabs change content below.

James Bowling

Cloud Architect at General Datatech, LP
James Bowling is the creator of vSential.com. He currently works as a Cloud Architect/Engineer for General Datatech, LP (@GeneralDT) in Dallas, TX. James is a VCAP5-DCD, VCAP5-DCA, VCP5-DCV/IaaS, VCP-Cloud, EMCCIS, EMCCA, vExpert (x4), Cisco Champion - Data Center (2013), PernixPro, and the Houston VMUG Leader. He is an avid golfer, bowler, DJ, Producer/Remixer, all-around good guy, and a Freemason.
10 Responses to vCloud Director SAML/SSO FAIL OMG
  1. Luke @ThepHuck Reply

    Thanks for this! I’ve been battling with it for a while, even completely tore down my lab and started over. I’m using MS SQL and the script to fix it there is:

    UPDATE [vcloud].[dbo].[identity_provider]
    SET [is_enabled] = ’0′
    WHERE provider_type = ‘SAML’
    GO

    Once I did that, I was back in business.

    • James Bowling Reply

      No problem man! Thanks for putting up the MSSQL script for the fix! I will add it to the post.

  2. Mathew Lodge Reply

    Did you try adding “login.jsp” to the end of the URL so you could use a local login?

    • James Bowling Reply

      I did not but I will try that here in a sec…didn’t even think about attempting it that way!

    • James Bowling Reply

      Awesome! That worked! I will update the post with that information as well! Thanks!

  3. Joseph Callen Reply

    I found that if you log into the vSphere Web Client first than on another tab open vCD it usually works with no problem.

    • James Bowling Reply

      I can’t seem to reproduce this but on a different point, doesn’t what you are talking about defeat the purpose or am I just not following?

  4. [...] vCloud Director 5.1! (VMware vSphere Blog) What’s New In vCloud 5.1 API (VMware vSphere Blog) vClo... vsphere-land.com/news/vsphere-51-link-o-rama.html
  5. felipecarballo Reply

    Great post! Saved my day.

Leave a Reply