We had our vCenter 7.03 environment using Microsoft ADFS for Authentication, which has Duo for MFA. The ADFS servers were using the Duo AD FS Adapter version 1.2. We recently upgraded the adapter to version 2 for Universal Prompt Support. Apparently version 2 broke something in the ADFS page /.well-known/openid-configuration thats needed for vCenter.
I then read and setup Duo SSO and Generic OIDC for vCenter to attempt to use. I followed the same vmware KB article VMware Knowledge Base attempting to have Duo SSO/OIDC map the same attributes that ADFS would use. Our Duo Proxy Servers are connected to our Active Directory servers, and not ADFS. In Duo OIDC application page, I have the openid scope enabled, and manually created a new scope called âallatclaimsâ, and manually mapped these values trying to mimic the ADFS document.
Token-Groups - Qualified by Long Domain Name â Group
User-Prinicipal-Name â Name ID
User-Prinicipal-Name â UPN
Here are the VMware KBâs iâve used to setup ADFS
https://kb.vmware.com/s/article/78029
What happens is, I log into vCenter web interface, I enter my username, I get redirected to Duo SSO, enter Username, Password, MFA and get redirected back to vCenter UI page with a [400] Unable to authenticate. error message.
vCenter logs shows a message of "Csp responded with status 400 BAD_REQUEST and body {âerror_titleâ: âinvalid_requestâ, âerror_messageâ: âRequest was malformedâ}
The error of Request was malformed leads me to think that maybe weâre not mapping the correct values in the OIDC webpage.
Is there plans to support either fix the ADFS Duo 2.0 Adapter or Support vCenter using OIDC? Otherwise Iâll likely have to revert the Universal Prompt on ADFS Adapter 2.0 and use 1.2