The following list provides a starting point for troubleshooting problems with the enterprise federation setup in the Cloud Services Console.

For additional pointers, search this documentation center and the VMware Knowledge Base system.
Problem Description
Log in validation failure with Error (4xx). Review the federation setup configuration for the following:
  • Check if the identity provider is set correctly in the Service Provider configuration. Make sure that the Name Identifier is sent correctly in the SAML response.
    Note: To verify the information in the SAML response, you can use a SAML-tracer browser extension. First, look at the SAML request to see what are the requested attributes. For example, NameID format. Next, look at the SAML response and search for the NameID format there. The two must match.
  • Check if the Name ID Format and Authentication Methods are set correctly in the identity provider configuration of the Configure Identity Provider step.
  • Check if the value for User Identification Preference is set correctly in the Configure Identity Provider step. The User Identification Preference setting is what you enter in the Cloud Services Console login page and can be one of the following: user@domain, Email, or UPN.
  • Check if the user who initiated the Validate Login flow is synchronized in the Sync groups and users step.
User Auth Service and Directory Sync Service not running after successful installation of the Workspace ONE Access Windows connector. Check the Workspace ONE Access tenant configuration:
  • Ensure you can ping the Workspace ONE Access tenant from the Windows or virtual machine where you installed the Workspace ONE Access connector. You can get the Workspace ONE Access tenant URL from the description of the Management Organization for your enterprise.
  • Ensure that access to the Workspace ONE Access tenant is not blocked and that *.workspaceoneaccess.com is added to your enterprise firewall allowed list.
  • Check if you are using a Proxy. If so, you must rerun the installer selecting the Custom installation option and provide the Proxy details during the installation.
  • Check the Workspace ONE Access connector logs for errors.

    To view the User Auth service log, open INSTALL_DIR\Workspace ONE Access\User Auth Service\logs\eas-service.log

    To view the Directory Sync service log, open INSTALL_DIR\Workspace ONE Access\Directory Sync Service\logs\eds-service.log

Opening Step 2/Step 3/Step 4 of the self-service federation workflow takes too long and eventually results in Error 500.

If you are using incognito mode browser, you can either check your browser's settings and ensure that "Block third-party cookies" is not selected, or switch to non-incognito browser mode.

It takes too long to perform an operation in the Enterprise Federation dashboard and result is Error 500. Same as above.
Workspace ONE Accessconnector sync fails. Group and user sync can fail if:
  • There is a network issue that interrupts the connection between the connector and the Active Directory.
  • Bind User credentials (Bind DN/passwords) have changed.
  • Bind User password has expired.
User login redirects to My VMware instead of your corporate identity provider. If users are logging in from corporate domains or subdomains that are not registered for federation with VMware Cloud services, they are redirected to My VMware. Login with your corporate identity provider is possible only for the domains that have been registered for federation.
Domain verification fails. Domain verification may fail if the domain is a private and not a corporate domain. If you want to federate a private domain, you must file a support ticket.
Post federation, users cannot see the services in their Organization. Existing users with federated domains used to access the services in their Organizations by logging in with their My VMware account. After federation is activated, synced users must link their corporate account to their VMware ID. Only when the two accounts are linked, services become visible and accessible to the existing users, based on the Organization and service role access they have in the Organization.