ADFS Authentication Issue with Alternative UPN Domain

This post was originally published on this site

My apologies if this has been covered, but didn’t get any results when searching for ADFS or OAuth. I recently upgraded to vCenter 7 and after a lot of troubleshooting, I was able to get the Identity Provider to integrate with my ADFS server. My issue is that the domain for my users UPN does not match the domain of my user. As an example, my domain is ‘abc.local’, but my user has the UPN ‘user@xyz.com‘. When I try to login I have to provide a bogus username of ‘user@abc.local’ because the vCenter login page doesn’t recognize my ‘user@xyz.com‘ address. After that, I receive the error message: “Unable to login because you do not have permission on any vCenter Server systems connected to this client”.

     I have verified Single Sign On works correctly with a user of a UPN that matches the domain (e.g. user2@abc.local). I have tried changing my claim to output the UPN and Name ID as SAM-Account-Name@abc.local without success. I have also tried using a completely different field with the attribute ‘user@abc.local’ without success. I thought maybe some type of transform my be necessary, but my experience with ADFS is limited and my experience with OAuth is non-existent. Has anybody else run across this issue or is this a known limitation with vCenter?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.