VCAC 6.0.1 Tenant authentication results in HTTP error 400 from Identity Appliance 2.0.1.0

Hi all

We are seeing a strange problem between the VCAC 6.0.1 appliance and the VMware identity appliance 2.0.1.0

The Identity appliance has been configured as per VMware documentation and has been joined to our active Directory domain.When we configure the default vsphere.local tenant to use active directory, using the same domain as where the identity appliance is joined to, we are able to login to https://vcacappliance.test.co.za/shell-ui-app/ and we are redirected to https://videntappliance.test.co.za:7444/websso/SAML2/SSO/ and we are able to authenticate successfully

However, if we create an additional tenant (not the default one), and that tenant is also configured to authenticate from the same AD as where the identity appliance is joined to, we are presented with an error 400 from the identity appliance when redirected to the identity appliance for authentication as per the attached screenshot

After some investigation we have found that the VCAC appliance, seems to be missing a portion in the request when we compare what is sends to the identity appliance for the default tenant vs any additionally configured tenants

For the default tenant it passes:

https://videntappliance.test.co.za:7444/websso/SAML2/SSO/vsphere.local?SAMLRequest=zVVdb9owFP0ryO%2BJQ6DQWoSKwapVom1WWFXtZTLOpVhy7MzXSeh%2B%2FZwALaq6CvVpr%2Bb63PMVM7rc5qpTgUVpdEK6YUQ6oIXJpH5KyI%2FlVXBOLscj5Lkq2KR0G30Pv0tA1%2FH3NLL2h4SUVjPDUSLTPAdkTrDF5GbO4jBihTXOCKNIZ4II1vlFU6OxzMEuwFZSwLXOYJsQv3rmkaXmriWzca5ARunt%2FDGdzh8eJlEc5k6HwoR%2FOBv2%2B31awwrR0GZXTBeLO1phsQELoTKC%2B41XxgpoaSdkzRUC6VzPEvJryFexGAx4LHr9dS8b9s7W3YuMQ3R%2BcR5nFwM%2FhilHlBW8XkQsPVV0XLuExFG3H0S9IB4uu2fsrM9ir7U7%2BEk66V7vF6l3Ln5kzmo3hOzbcpkG6d1i2QJUMgN766cTotW2EKqqeNR9Vf9W58MhQI9JDnG1hO3pQfFDPGR8sP795bgBpYJSBrwoaAN8yCEHxzPu%2BIgeM9jxiQvWCLqepUZJ8XxEKz69QEqZemqBO2%2BMsyW0CefcfQzQnMgsWLejrGi8Qgfakc4ibTh9L7mSawn2tXOfFE7oXizzFc9kYyYeKz05gLcoe5DKX9mR9ByrvOa%2BAsLkFMUGco6UO2eDFpj6gsY06tOvWy%2B1KQeSPcgW5QtGXddh3QuNffIXoi59vJkvWqxAtk0X3mI%2Fz9xz4S1v1rN70FDzlYKlP3tH8H9EdQYKno6p0rfhvHRz%2F6xB1r4WfsDB1n2qpFOTF9xKbD5H2HLh9mmyY%2BSp8mHfw%2Fpow8nd%2BHBMMNFA%2B%2BPm%2FaqNzZr3CIRXtrRcY2Gs29nwLp%2BDRf8wZHz4so%2F%2FCsZ%2FAQ%3D%3D&RelayState=aHR0cHM6Ly9ubHhwY2x2dmEwMS5tdG4uY28uemEvc2hlbGwtdWktYXBwLw%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=I6SUdIi%2F4JAIFMXuSWMN2VpJ2pbsV0UyfFSg37fEaFQH5gTvqgzv97jwgF3q6U6O2t2qCLLqxQxtJmX70%2BmPPUsDFep2aPJBSCJ%2B99gciBi%2F719aBhOFirqCVRV3KDEL1IOPEY7QAsn12oJhjsKc5kLca0KWMPc85dG1u%2FCx0sRr3nIAToy6DKmoxvRj6kUozVIW%2BZBfR%2FAkuSaOaxDp%2FJl963gMmESyBjRXXSWQDvqAETywJiR%2BdKtrw8lLpx1%2BVe%2BjwcgAJn7VNW%2BpcJNM%2FJJ5ikJSK0eJjK0%2F2s6JUzf%2F9sd0yvOtku2sf6RQuiZ4VqsTlvVmB4KSbZhXXd0iFg%3D%3D&passwordEntry=1

For any additional tenants it passes:

https://videntappliance.test.co.za:7444/websso/SAML/SSO/tenant?SAMLRequest=zVVdb9owFP0rkd8ThwCltRoqBqtWibZZYVW1l8l1LsWSY2e%2BTkL36%2BcEaFHVVWh72au5Pvd8xZxfbAoV1GBRGp2SXhSTALQwudRPKfm2vAxPycX4HHmhSjap3Frfwc8K0AX%2BnkbW%2FZCSympmOEpkmheAzAm2mFzPWRLFrLTGGWEUCSaIYJ1fNDUaqwLsAmwtBVzpHDYp8atnHllq7joya%2BdKZJTezB%2By6fz%2BfhInUeF0JEz0i7PRYDCgDTwiGtruSuhicUuF0ZbnJLg0VkDHNyUrrhBIcDVLyY%2F%2BEESenK6gn5%2BJ095wOBSD0Yk%2FOzsZ9XK%2B8mOYcURZw%2BtFxMpzRMe1S0kS9wZh3A%2BT0bI3ZP0RS5IoiZPvJMh2Qj9JvbXvI1cet0PIviyXWZjdLpYdQC1zsDd%2BOiVabUqh6prHvVfZLwLv95F5MLIPqGNqj4%2BG7wMh473Z72%2FFNSgVVjLkZUmNfdrRoO2OfQgFOJ5zx8%2FpIZkttaRkrairWWaUFM8HDJPj26OUaaYWuPPmOFtBl3LB3ccA7YnMw1U3ysrWNnSgHQkWWcvpa8WVXEmwr4X7dw8I3elmvuq5bC3GQ9FHx%2FIWZQdS%2Bytbvp5uXTTcgmdZUBRrKDhS7pwNO2Dq%2B5rQeEA%2Fb7zqtjJIdiAblC8YTdNETT9qZSVx3KMP1%2FNFhxXKrvjCu%2B3nmXsuvfvtenYHGhr%2BqGDpz94R%2FB9RnYGCp0Oq9G04LzXdPW%2BQd4%2BHH3CwcX%2FV16kpSm4lth8pbLhwuzTZIfJU%2BbDvYHWw4ehufDgmmGih%2FXH7nDXG5u3zBMIrW1qusTTWbW14l8%2Feoj8YMt5%2F5Id%2FCePf&RelayState=aHR0cHM6Ly9ubHhwY2x2dmEwMS5tdG4uY28uemEvc2hlbGwtdWktYXBwL29yZy9jb25yYWQv&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=C8WOi6sG7%2F%2FTgEEKaxjoeNulZ6jsyPORRoyHC4RiUlOM3GOv2WgsOWdNUFaCWAoCvRUJD3CC0yN4awQiiOFwipIy0ktaPycd%2F4lK4f5daPNAcXxO1ybNrvdLHFZA%2FioCbTvpr9kw0HJdkGsfl7e3DFDnILBpBDIjYmW%2FoVhk9i32QVVwM0osA7Yfno6iLnskURf1J%2F%2FXNlsxX09XiR6BMnZIDAMqEkJKnEerUWF6XHwqL0q5PR%2Fl0OH7gqJo6W%2Fo6ryohRJdJXyQFN%2BL6FTqfWnJZIh99FXNPyMAs9WEUpKLlIkAHq38z424hM%2BY8bOV%2BxaV8CS9sjDkKjgwB2NIlw%3D%3D

Notice that for the default tenant there is a portion at the end that reads “&passwordEntry=1” which is missing from the request to the Identity appliance for any non-default tenants, resulting in the error 400 from the identity appliance “the request sent by the client is syntactically incorrect”

Has anybody else observed this behaviour and found a solution?