top of page
White Structure

Experienced Technology Product Manager adept at steering success throughout the entire product lifecycle, from conceptualization to market delivery. Proficient in market analysis, strategic planning, and effective team leadership, utilizing data-driven approaches for ongoing enhancements.

  • Twitter
  • LinkedIn
White Structure

Authenticating via AD users and executing vRSLCM API's -- Detailed Procedure

Updated: Oct 15, 2024


This blog is available in PDF format too. Download the PDF attached below to consume it.






Demo







Pre-Requisites


vIDM LB url ( if clustered ) or vIDM FQDN ( single )
vIDM local Account
vIDM local Account Password
AD User Name
AD Password
Domain


Procedure


Phase-1

As a first step, fetch the session token. This can be done by using below API


Method

POST

URL


{{idmurl}}/SAAS/API/1.0/REST/auth/system/login

Payload




{ "username": "{{idmlocalusername}}", "password": "{{idmlocalpassword}}", "issueToken": "true" }

Response




<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <userSession>     <admin>false</admin>     <sessionToken>eyJ0eXAiOiJKV1Q****9XsskFqilcg</sessionToken> </userSession>


Note: sessionToken on the above response has been trimmed




Copy this session into a variable called vIDMSessionToken in Postman




Phase-2


As next step , we will create oauth2clients by running an API. This definition will enable a service or its users to authenticate to VMware Identity Manager using the OAuth2 protocol. In short client is created by admin with trust and APIs can use client:secret to get token and auth happens



Method

POST

URL


{{idmurl}}/SAAS/jersey/manager/api/oauth2clients

{{idmurl}} is a variable for vIDM FQDN

Payload


{  "clientId":"admintesttwo",  "secret":"Vk13YXJlMTIzIQ==",  "scope":"user admin",  "authGrantTypes":"password",  "tokenType":"Bearer",  "tokenLength":23,  "accessTokenTTL":36000,  "refreshTokenTTL":432000 }

​clientId is a name given to the client which would be created. This can be any given name. The secret is the base64 encoded password you would like to assign to this client

Response 


{     "clientId": "admintesttwo",     "secret": "Vk13YXJlMTIzIQ==",     "scope": "user admin",     "authGrantTypes": "password",     "redirectUri": null,     "tokenType": "Bearer",     "tokenLength": 32,     "accessTokenTTL": 36000,     "refreshTokenTTL": 432000,     "refreshTokenIdleTTL": null,     "rememberAs": null,     "resourceUuid": null,     "displayUserGrant": true,     "internalSystemClient": false,     "activationToken": null,     "strData": null,     "inheritanceAllowed": false,     "returnFailureResponse": false,     "_links": {         "self": {             "href": "/SAAS/jersey/manager/api/oauth2clients/admintesttwo"         }     } }

If this API is successful, then there is a 201 Created response is triggered

Headers

Key 


Content-Type

Value 


application/vnd.vmware.horizon.manager.oauth2client+json



Key 


Accept

Value


application/vnd.vmware.horizon.manager.oauth2client+json




If we login into vIDM , Under Administration Console click on Catalog and then select Settings. Once we browse to Remote App Access. You would be able to see the client id



Clicking on it will provide more details about the OAuth2Client created



Phase-3

Once the client id is created , we now need to go ahead and fetch the token for AD authentication



Method

POST

URL


{{idmurl}}/SAAS/auth/oauthtoken?grant_type=password

Body ( form data )




{{username}} {{password}} {{domain}}

{{username}} refers to the AD username {{password}} refers to AD username's password {{domain}} refers to the domain where the user belongs to

Authorization

Basic {{clientid}}:{{secret}}

In the previous step we did create the clientid and then secret ( base64 encoded ) password

Content-Type

Use it to fetch the t Content-Type multipart/form-data





I'd copy this access token into a variable again and call it as a adusertoken



  • Now , let's execute a Get Environment API call to fetch details . These are vRSLCM's APIs.


Method

Get

URL


{{lcmurl}}/lcm/lcops/api/v2/environments/{{geenvid}}

Authorization

Bearer Token {{adusertoken}}

{{adusertoken}} is the token captured above

Response


{     "vmid": "90b3269b-9338-4cab-9b3c-f744a2a1e13b",     "transactionId": null,     "tenant": "default",     "environmentName": "globalenvironment",     "environmentDescription": "",     "environmentId": "globalenvironment",     "state": null,     "status": "COMPLETED",     "environmentData":  * * * "{\"environmentId\":\"globalenvironment\",\"environmentName\":\"globalenvironment\",\"environmentDescription\":null,\"environmentHealth\":null,\"logHistory\":\"[ {\\n  \\\"logGeneratedTime\\\" : 1657682435109,\\n  \     "dataCenterName": null }

Truncated version of the response


This is how one may generate access token using a AD user account and then use it










 
 
 

Recent Posts

See All

9 Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
Guest
Oct 15, 2024

Hi Arun,


thanks for sharing and I am getting the following error for the Phase-2.


I am on Version : 8.18.0.0

Build : 24029603


{

    "errors": [

        {

            "code""UNSUPPORTED_MEDIA_TYPE",

            "message""???UNSUPPORTED_MEDIA_TYPE???",

            "parameters"null

        }

    ]

}


Like
Guest
Oct 16, 2024
Replying to

Sorry to chase, any luck with new version ?

Like
Guest
May 06, 2024

is there a logout to revoke the token you got with "{{idmurl}}/SAAS/API/1.0/REST/auth/system/login" ?

Like
xian
May 25, 2023

I get 405 Not Allowed in Phase I

username: admin@local

and tried with admin

but no luck...

Like
bottom of page