top of page

Experienced Technology Product Manager adept at steering success throughout the entire product lifecycle, from conceptualization to market delivery. Proficient in market analysis, strategic planning, and effective team leadership, utilizing data-driven approaches for ongoing enhancements.

  • Twitter
  • LinkedIn
White Background

Authenticating via AD users and executing vRSLCM API's -- Detailed Procedure


 

This blog is available in PDF format too. Download the PDF attached below to consume it.




 


Pre-Requisites


vIDM LB url ( if clustered ) or vIDM FQDN ( single )
vIDM local Account
vIDM local Account Password
AD User Name
AD Password
Domain


 

Procedure


Phase-1

As a first step, fetch the session token. This can be done by using below API


Method

POST

URL


{{idmurl}}/SAAS/API/1.0/REST/auth/system/login

Payload




{ "username": "{{idmlocalusername}}", "password": "{{idmlocalpassword}}", "issueToken": "true" }

Response




<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <userSession>     <admin>false</admin>     <sessionToken>eyJ0eXAiOiJKV1Q****9XsskFqilcg</sessionToken> </userSession>


Note: sessionToken on the above response has been trimmed




Copy this session into a variable called vIDMSessionToken in Postman



 

Phase-2


As next step , we will create oauth2clients by running an API. This definition will enable a service or its users to authenticate to VMware Identity Manager using the OAuth2 protocol. In short client is created by admin with trust and APIs can use client:secret to get token and auth happens



Method

POST

URL


{{idmurl}}/SAAS/jersey/manager/api/oauth2clients

{{idmurl}} is a variable for vIDM FQDN

Payload


{  "clientId":"admintesttwo",  "secret":"Vk13YXJlMTIzIQ==",  "scope":"user admin",  "authGrantTypes":"password",  "tokenType":"Bearer",  "tokenLength":23,  "accessTokenTTL":36000,  "refreshTokenTTL":432000 }

​clientId is a name given to the client which would be created. This can be any given name. The secret is the base64 encoded password you would like to assign to this client

Response 


{     "clientId": "admintesttwo",     "secret": "Vk13YXJlMTIzIQ==",     "scope": "user admin",     "authGrantTypes": "password",     "redirectUri": null,     "tokenType": "Bearer",     "tokenLength": 32,     "accessTokenTTL": 36000,     "refreshTokenTTL": 432000,     "refreshTokenIdleTTL": null,     "rememberAs": null,     "resourceUuid": null,     "displayUserGrant": true,     "internalSystemClient": false,     "activationToken": null,     "strData": null,     "inheritanceAllowed": false,     "returnFailureResponse": false,     "_links": {         "self": {             "href": "/SAAS/jersey/manager/api/oauth2clients/admintesttwo"         }     } }

If this API is successful, then there is a 201 Created response is triggered



If we login into vIDM , Under Administration Console click on Catalog and then select Settings. Once we browse to Remote App Access. You would be able to see the client id



Clicking on it will provide more details about the OAuth2Client created



Phase-3

Once the client id is created , we now need to go ahead and fetch the token for AD authentication



Method

POST

URL


{{idmurl}}/SAAS/auth/oauthtoken?grant_type=password

Body ( form data )




{{username}} {{password}} {{domain}}

{{username}} refers to the AD username {{password}} refers to AD username's password {{domain}} refers to the domain where the user belongs to

Authorization

Basic {{clientid}}:{{secret}}

In the previous step we did create the clientid and then secret ( base64 encoded ) password

Content-Type

Use it to fetch the t Content-Type multipart/form-data





I'd copy this access token into a variable again and call it as a adusertoken



  • Now , let's execute a Get Environment API call to fetch details . These are vRSLCM's APIs.


Method

Get

URL


{{lcmurl}}/lcm/lcops/api/v2/environments/{{geenvid}}

Authorization

Bearer Token {{adusertoken}}

{{adusertoken}} is the token captured above

Response


{     "vmid": "90b3269b-9338-4cab-9b3c-f744a2a1e13b",     "transactionId": null,     "tenant": "default",     "environmentName": "globalenvironment",     "environmentDescription": "",     "environmentId": "globalenvironment",     "state": null,     "status": "COMPLETED",     "environmentData":  * * * "{\"environmentId\":\"globalenvironment\",\"environmentName\":\"globalenvironment\",\"environmentDescription\":null,\"environmentHealth\":null,\"logHistory\":\"[ {\\n  \\\"logGeneratedTime\\\" : 1657682435109,\\n  \     "dataCenterName": null }

Truncated version of the response


This is how one may generate access token using a AD user account and then use it










430 views2 comments

2 comentários

Avaliado com 0 de 5 estrelas.
Ainda sem avaliações
Adicione uma avaliação
Convidado:
06 de mai.

is there a logout to revoke the token you got with "{{idmurl}}/SAAS/API/1.0/REST/auth/system/login" ?

Curtir
xian
25 de mai. de 2023

I get 405 Not Allowed in Phase I

username: admin@local

and tried with admin

but no luck...

Curtir
bottom of page