This topic explains how to resolve common errors that can arise when you configure a single sign-on partnership between two Single Sign‑On for VMware Tanzu Application Service service plans, one acting as an Identity Provider (IDP) and one acting as a Relying Party (RP).

No link for OIDC, or the Service Provider Login page is blank

Symptom

The service provider login screen looks as follows:

A blank service provider login screen

Cause

  • The discovery URL is incorrect or unavailable. No link appears on the login page.
  • This error can occur if you do not enable Skip SSL Connection and the IDP service plan is on an instance that uses a self-signed certificate.

Authorization Request Error

Symptom

You see an error similar to the following screenshot:

The error message page reads, No client with requested id: ec2f8...
Authorization Request Error. There was an error. The request for authorization was invalid.

Cause

You might have configured your OAuth client ID incorrectly.

401 Unauthorized

Symptom

You see an error similar to the following screenshot:

The error message page reads, There was an error when authenticating against
the external identity provider: 401 Unauthorized.

Cause

You may have configured your OAuth client secret incorrectly.

405 Method Not Allowed

Symptom

You see an error similar to the following screenshot:

The error message page reads, HTTP Status 405 ? Method Not Allowed.
Type: Status Report. Message: Request method 'POST' not supported.
Description: The method received in the request line is known by the origin server
but not supported by the target resource.

Cause

  • You may have omitted the openid scope in the IDP configuration on the RP service plan.
  • You may be requesting the wrong scopes or scopes that are not supported by the other Single Sign‑On plan. Confirm that you are only requesting openid scopes.

Cannot determine username with given credentials

Symptom

You see an error similar to the following screenshot:

The error message page reads, There was an error when authenticating against
the external identity provider: Cannot determine username from credentials supplied.

Cause

The username you used might not have a value mapped to it. In the IDP attributes, map the “username” attribute to “username.”

Invalid redirect

Symptom

You see an error similar to the following screenshot:

The error message page reads, Invalid redirect https://sp.login.uaa-acceptance.cf-app.com/login/...
did not match one of the registered values.
Authorization Request Error. There was an error. The request for authorization was invalid.

Cause

You may have configured the authorized redirect URI incorrectly. Confirm that your callback URL is entered correctly as an authorized redirect URI for the client configurations on the IDP service plan.

check-circle-line exclamation-circle-line close-line
Scroll to top icon