top of page

Authenticating via AD users and executing vRSLCM API's -- Detailed Procedure


 

This blog is available in PDF format too. Download the PDF attached below to consume it.



Authenticating via AD users and executing vRSLCM API's programatically
.pdf
Download PDF • 1.86MB

 


Pre-Requisites


vIDM LB url ( if clustered ) or vIDM FQDN ( single )
vIDM local Account
vIDM local Account Password
AD User Name
AD Password
Domain 


 

Procedure


Phase-1

As a first step, fetch the session token. This can be done by using below API


Method

POST

URL


{{idmurl}}/SAAS/API/1.0/REST/auth/system/login

Payload




{ "username": "{{idmlocalusername}}", "password": "{{idmlocalpassword}}", "issueToken": "true" }

Response




<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <userSession>     <admin>false</admin>     <sessionToken>eyJ0eXAiOiJKV1Q****9XsskFqilcg</sessionToken> </userSession>


Note: sessionToken on the above response has been trimmed



Copy this session into a variable called vIDMSessionToken in Postman


 

Phase-2


As next step , we will create oauth2clients by running an API. This definition will enable a service or its users to authenticate to VMware Identity Manager using the OAuth2 protocol. In short client is created by admin with trust and APIs can use client:secret to get token and auth happens


Method

POST

URL


{{idmurl}}/SAAS/jersey/manager/api/oauth2clients

{{idmurl}} is a variable for vIDM FQDN

Payload


{  "clientId":"admintesttwo",  "secret":"Vk13YXJlMTIzIQ==",  "scope":"user admin",  "authGrantTypes":"password",  "tokenType":"Bearer",  "tokenLength":23,  "accessTokenTTL":36000,  "refreshTokenTTL":432000 }

​clientId is a name given to the client which would be created. This can be any given name. The secret is the base64 encoded password you would like to assign to this client

Response


{     "clientId": "admintesttwo",     "secret": "Vk13YXJlMTIzIQ==",     "scope": "user admin",     "authGrantTypes": "password",     "redirectUri": null,     "tokenType": "Bearer",     "tokenLength": 32,     "accessTokenTTL": 36000,     "refreshTokenTTL": 432000,     "refreshTokenIdleTTL": null,     "rememberAs": null,     "resourceUuid": null,     "displayUserGrant": true,     "internalSystemClient": false,     "activationToken": null,     "strData": null,     "inheritanceAllowed": false,     "returnFailureResponse": false,     "_links": {         "self": {             "href": "/SAAS/jersey/manager/api/oauth2clients/admintesttwo"         }     } }


If this API is successful, then there is a 201 Created response is triggered



If we login into vIDM , Under Administration Console click on Catalog and then select Settings. Once we browse to Remote App Access. You would be able to see the client id



Clicking on it will provide more details about the OAuth2Client created


Phase-3

Once the client id is created , we now need to go ahead and fetch the token for AD authentication



Method

POST

URL


{{idmurl}}/SAAS/auth/oauthtoken?grant_type=password

Body ( form data )




{{username}} {{password}} {{domain}}

{{username}} refers to the AD username {{password}} refers to AD username's password {{domain}} refers to the domain where the user belongs to

Authorization

Basic {{clientid}}:{{secret}}

In the previous step we did create the clientid and then secret ( base64 encoded ) password

Content-Type

Use it to fetch the t Content-Type multipart/form-data





I'd copy this access token into a variable again and call it as a adusertoken


  • Now , let's execute a Get Environment API call to fetch details . These are vRSLCM's APIs.

Method

Get

URL


{{lcmurl}}/lcm/lcops/api/v2/environments/{{geenvid}}

Authorization

Bearer Token {{adusertoken}}

{{adusertoken}} is the token captured above

Response


{     "vmid": "90b3269b-9338-4cab-9b3c-f744a2a1e13b",     "transactionId": null,     "tenant": "default",     "environmentName": "globalenvironment",     "environmentDescription": "",     "environmentId": "globalenvironment",     "state": null,     "status": "COMPLETED",     "environmentData":  * * * "{\"environmentId\":\"globalenvironment\",\"environmentName\":\"globalenvironment\",\"environmentDescription\":null,\"environmentHealth\":null,\"logHistory\":\"[ {\\n  \\\"logGeneratedTime\\\" : 1657682435109,\\n  \     "dataCenterName": null }

Truncated version of the response


This is how one may generate access token using a AD user account and then use it






231 views1 comment
bottom of page