top of page

ARUN NUKULA

White Structure

Authenticating via AD users and executing vRSLCM API's -- Detailed Procedure

Updated: Oct 15, 2024


This blog is available in PDF format too. Download the PDF attached below to consume it.






Demo







Pre-Requisites


vIDM LB url ( if clustered ) or vIDM FQDN ( single )
vIDM local Account
vIDM local Account Password
AD User Name
AD Password
Domain


Procedure


Phase-1

As a first step, fetch the session token. This can be done by using below API


Method

POST

URL


{{idmurl}}/SAAS/API/1.0/REST/auth/system/login

Payload




{ "username": "{{idmlocalusername}}", "password": "{{idmlocalpassword}}", "issueToken": "true" }

Response




<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <userSession>     <admin>false</admin>     <sessionToken>eyJ0eXAiOiJKV1Q****9XsskFqilcg</sessionToken> </userSession>


Note: sessionToken on the above response has been trimmed



ree


Copy this session into a variable called vIDMSessionToken in Postman


ree



Phase-2


As next step , we will create oauth2clients by running an API. This definition will enable a service or its users to authenticate to VMware Identity Manager using the OAuth2 protocol. In short client is created by admin with trust and APIs can use client:secret to get token and auth happens



Method

POST

URL


{{idmurl}}/SAAS/jersey/manager/api/oauth2clients

{{idmurl}} is a variable for vIDM FQDN

Payload


{  "clientId":"admintesttwo",  "secret":"Vk13YXJlMTIzIQ==",  "scope":"user admin",  "authGrantTypes":"password",  "tokenType":"Bearer",  "tokenLength":23,  "accessTokenTTL":36000,  "refreshTokenTTL":432000 }

​clientId is a name given to the client which would be created. This can be any given name. The secret is the base64 encoded password you would like to assign to this client

Response 


{     "clientId": "admintesttwo",     "secret": "Vk13YXJlMTIzIQ==",     "scope": "user admin",     "authGrantTypes": "password",     "redirectUri": null,     "tokenType": "Bearer",     "tokenLength": 32,     "accessTokenTTL": 36000,     "refreshTokenTTL": 432000,     "refreshTokenIdleTTL": null,     "rememberAs": null,     "resourceUuid": null,     "displayUserGrant": true,     "internalSystemClient": false,     "activationToken": null,     "strData": null,     "inheritanceAllowed": false,     "returnFailureResponse": false,     "_links": {         "self": {             "href": "/SAAS/jersey/manager/api/oauth2clients/admintesttwo"         }     } }

If this API is successful, then there is a 201 Created response is triggered

Headers

Key 


Content-Type

Value 


application/vnd.vmware.horizon.manager.oauth2client+json



Key 


Accept

Value


application/vnd.vmware.horizon.manager.oauth2client+json



ree

If we login into vIDM , Under Administration Console click on Catalog and then select Settings. Once we browse to Remote App Access. You would be able to see the client id



ree

Clicking on it will provide more details about the OAuth2Client created


ree


Phase-3

Once the client id is created , we now need to go ahead and fetch the token for AD authentication



Method

POST

URL


{{idmurl}}/SAAS/auth/oauthtoken?grant_type=password

Body ( form data )




{{username}} {{password}} {{domain}}

{{username}} refers to the AD username {{password}} refers to AD username's password {{domain}} refers to the domain where the user belongs to

Authorization

Basic {{clientid}}:{{secret}}

In the previous step we did create the clientid and then secret ( base64 encoded ) password

Content-Type

Use it to fetch the t Content-Type multipart/form-data


ree

ree

ree

I'd copy this access token into a variable again and call it as a adusertoken


ree


  • Now , let's execute a Get Environment API call to fetch details . These are vRSLCM's APIs.


Method

Get

URL


{{lcmurl}}/lcm/lcops/api/v2/environments/{{geenvid}}

Authorization

Bearer Token {{adusertoken}}

{{adusertoken}} is the token captured above

Response


{     "vmid": "90b3269b-9338-4cab-9b3c-f744a2a1e13b",     "transactionId": null,     "tenant": "default",     "environmentName": "globalenvironment",     "environmentDescription": "",     "environmentId": "globalenvironment",     "state": null,     "status": "COMPLETED",     "environmentData":  * * * "{\"environmentId\":\"globalenvironment\",\"environmentName\":\"globalenvironment\",\"environmentDescription\":null,\"environmentHealth\":null,\"logHistory\":\"[ {\\n  \\\"logGeneratedTime\\\" : 1657682435109,\\n  \     "dataCenterName": null }

Truncated version of the response


This is how one may generate access token using a AD user account and then use it










 
 
 

Recent Posts

See All

9 Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
Guest
Oct 15, 2024

Hi Arun,


thanks for sharing and I am getting the following error for the Phase-2.


I am on Version : 8.18.0.0

Build : 24029603


{

    "errors": [

        {

            "code""UNSUPPORTED_MEDIA_TYPE",

            "message""???UNSUPPORTED_MEDIA_TYPE???",

            "parameters"null

        }

    ]

}


Like
Guest
Oct 16, 2024
Replying to

Sorry to chase, any luck with new version ?

Like
Guest
May 06, 2024

is there a logout to revoke the token you got with "{{idmurl}}/SAAS/API/1.0/REST/auth/system/login" ?

Like
xian
May 25, 2023

I get 405 Not Allowed in Phase I

username: admin@local

and tried with admin

but no luck...

Like
bottom of page