This blog is available in PDF format too. Download the PDF attached below to consume it.
Pre-Requisites
vIDM LB url ( if clustered ) or vIDM FQDN ( single )
vIDM local Account
vIDM local Account Password
AD User Name
AD Password
Domain
Procedure
Phase-1
As a first step, fetch the session token. This can be done by using below API
Method | POST |
URL | {{idmurl}}/SAAS/API/1.0/REST/auth/system/login |
Payload |
{ "username": "{{idmlocalusername}}", "password": "{{idmlocalpassword}}", "issueToken": "true" } |
Response |
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <userSession> <admin>false</admin> <sessionToken>eyJ0eXAiOiJKV1Q****9XsskFqilcg</sessionToken> </userSession> |
Note: sessionToken on the above response has been trimmed
Copy this session into a variable called vIDMSessionToken in Postman
Phase-2
As next step , we will create oauth2clients by running an API. This definition will enable a service or its users to authenticate to VMware Identity Manager using the OAuth2 protocol. In short client is created by admin with trust and APIs can use client:secret to get token and auth happens
Method | POST | ​ |
URL | {{idmurl}}/SAAS/jersey/manager/api/oauth2clients | {{idmurl}} is a variable for vIDM FQDN
|
Payload | { "clientId":"admintesttwo", "secret":"Vk13YXJlMTIzIQ==", "scope":"user admin", "authGrantTypes":"password", "tokenType":"Bearer", "tokenLength":23, "accessTokenTTL":36000, "refreshTokenTTL":432000 } | ​clientId is a name given to the client which would be created. This can be any given name. The secret is the base64 encoded password you would like to assign to this client |
Response | { "clientId": "admintesttwo", "secret": "Vk13YXJlMTIzIQ==", "scope": "user admin", "authGrantTypes": "password", "redirectUri": null, "tokenType": "Bearer", "tokenLength": 32, "accessTokenTTL": 36000, "refreshTokenTTL": 432000, "refreshTokenIdleTTL": null, "rememberAs": null, "resourceUuid": null, "displayUserGrant": true, "internalSystemClient": false, "activationToken": null, "strData": null, "inheritanceAllowed": false, "returnFailureResponse": false, "_links": { "self": { "href": "/SAAS/jersey/manager/api/oauth2clients/admintesttwo" } } }
| If this API is successful, then there is a 201 Created response is triggered |
If we login into vIDM , Under Administration Console click on Catalog and then select Settings. Once we browse to Remote App Access. You would be able to see the client id
Clicking on it will provide more details about the OAuth2Client created
Phase-3
Once the client id is created , we now need to go ahead and fetch the token for AD authentication
Method | POST | ​ |
URL | {{idmurl}}/SAAS/auth/oauthtoken?grant_type=password | ​ |
Body ( form data ) |
{{username}} {{password}} {{domain}} | {{username}} refers to the AD username {{password}} refers to AD username's password {{domain}} refers to the domain where the user belongs to |
Authorization | Basic {{clientid}}:{{secret}} | In the previous step we did create the clientid and then secret ( base64 encoded ) password |
Content-Type | Use it to fetch the t
Content-Type
multipart/form-data
| ​ |
I'd copy this access token into a variable again and call it as a adusertoken
Now , let's execute a Get Environment API call to fetch details . These are vRSLCM's APIs.
Method | Get | ​ |
URL | {{lcmurl}}/lcm/lcops/api/v2/environments/{{geenvid}} | ​ |
Authorization | Bearer Token {{adusertoken}} | {{adusertoken}} is the token captured above
|
Response | { "vmid": "90b3269b-9338-4cab-9b3c-f744a2a1e13b", "transactionId": null, "tenant": "default", "environmentName": "globalenvironment", "environmentDescription": "", "environmentId": "globalenvironment", "state": null, "status": "COMPLETED", "environmentData": * * * "{\"environmentId\":\"globalenvironment\",\"environmentName\":\"globalenvironment\",\"environmentDescription\":null,\"environmentHealth\":null,\"logHistory\":\"[ {\\n \\\"logGeneratedTime\\\" : 1657682435109,\\n \ "dataCenterName": null } | Truncated version of the response |
This is how one may generate access token using a AD user account and then use it
is there a logout to revoke the token you got with "{{idmurl}}/SAAS/API/1.0/REST/auth/system/login" ?
I get 405 Not Allowed in Phase I
username: admin@local
and tried with admin
but no luck...