Symptoms
In a Load Balanced ssl termination/offloading configuration, Workspace One Smart Card Authentication fails:
"Error Incorrect Issuer in SAML AuthnRequest or Access Denied" in the connector log
Cause
You have to additionally configure SSL passthrough on the Load Balancer for the port defined (default 7443) if the Identity Manager server configuration will be terminating SSL for port 443.
Resolution
To resolve and enable sign in using ONLY Smart Card certificatie authentication methods, follow this procedure:
Upload the Load Balancer root certificate and intermediate certificates and private key to Workspace One Appliance Settings, Manage Configuration, Install SSL Certificates and Passthrough Certificate tab. Set the port (default 7443).In Workspace One Identity & Access Management tab, Setup, Connectors page, Identity Provider, IdP Hostname text box, change the value from hostname to hostname:port (default 7443), where hostname is set to the Load Balancer.Configure SSL passthrough on the Load Balancer for the port (default 7443) defined on the Install SSL Certificate > Passthrough Certificate tab in the VMware Identity Manager console.
Notes:
If BOTH Password and Smart Card Authentication are required, then external connectors will be needed.
Built-in connectors are configured only with PasswordExternal connectors are configured with Cert Auth.New WorkspaceIdP for Cert Auth will need to be created manually, and set IdP hostname to be LB_of_Ext_Connector:7443.
There will be two WorkspaceIdPs for the same directory,
Password with IdP Hostname as FQDN (using port 443)Newly created CertAuth WorkspaceIdP, and IdP Hostname is LB_of_Ext_Connector:7443.If Load Balancing vRealize Automation,
Validate the trust between vRealize Automation and Workspace One
# vracli vidm\
If this does not return the FQDN of the LB_VIP, update with
# vracli vidm set {hostname} {admin} {user}
Related Information
Installing a Passthrough Certificatehttps://docs.vmware.com/en/VMware-Workspace-ONE-Access/19.03/idm-administrator/GUID-18E05711-37EC-4061-93C4-93D87570C8F3.html?hWord=N4IghgNiBcIA5gM6IC4AsBOB7ArgczQAIBjAUwxQEsAzS4sFUkAXyAConfiguring Certificate Authentication for a DMZ Deployment Scenariohttps://docs.vmware.com/en/VMware-Workspace-ONE-Access/3.3/com.vmware.vidm-dmz-deployment/GUID-29B1B3D9-9929-44CC-8A0B-020A183DACAB.html
