Exchange JWT Tokens for a SAML Token and Obtain a Session Identifier

You can exchange the JWT tokens that you obtained from the authorization server for a
vCenter Server
SAML token and create an authenticated session.
  • You must have a valid access and ID token (in JWT format) from the authorization server (AD FS or
    VMware Identity Broker - vCenter Server
    ) for the user or application you want to authenticate.
  1. Send the JWT tokens to
    vCenter Single Sign-On
    by using the
    Token
    interface of the
    com.vmware.vcenter.authentication
    package.
    1. Create an object of type
      TokenTypes.IssueSpec
      with the following modifiers.
      Method
      Value
      setSubjectTokenType
      urn:ietf:params:oauth:token-type:access_token
      setSubjectToken
      <
      ACCESS_TOKEN
      >
      setActorTokenType
      urn:ietf:params:oauth:token-type:id_token
      setActorToken
      <
      ID_TOKEN
      >
      setGrantType
      urn:ietf:params:oauth:grant-type:token-exchange
      setRequestedTokenType
      urn:ietf:params:oauth:token-type:saml2
    2. Call the
      issue(TokenTypes.IssueSpec)
      method
    On success,
    vCenter Single Sign-On
    returns a
    TokenInfo
    object containing the SAML token.
  2. Prepare the SAML token for the API call.
    Base-64 decode the SAML token, compress it, and then Base-64 encode it again.
  3. To obtain a session identifier, call the
    session.create()
    method
    with the SAML token.
    On success, the
    vSphere Automation
    API returns a session identifier.
  4. To authenticate, add the session identifier to your security context instance.
You created an authenticated session and now you can access and use the
vSphere Automation
services.
Bash Shell
This Bash script illustrates the use case where you get JWT tokens from the authorization server (AD FS or
VMware Identity Broker - vCenter Server
), exchange them for a
vCenter Server
SAML token, and obtain an authentication session identifier from the
vSphere Automation
endpoint.
This script consists of three parts:
  1. Obtain JWT tokens from the authorization server (AD FS or
    VMware Identity Broker - vCenter Server
    ) by using the OAuth 2.0 Password grant type.
  2. Exchange the JWT tokens for a
    vCenter Server
    SAML token.
  3. Use the SAML token to obtain a session identifier for the
    vSphere Automation
    API.
#!/bin/bash : ' Variable definitions: $vcip = The IP address or FQDN of your vCenter Server. $ACCESS_TOKEN = The access token in JWT format that you received from the authentication server. $ID_TOKEN = The ID token in JWT format that you received from the authentication server. ' if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ] || [ -z "$4" ] || [ -z "$5" ] || [ -z "$6" ]; then echo "Usage: <vc-ip> <pwgrant-userid> <pwgrant-password> <client-id> <client-secret> <token-endpoint>" exit 0 fi vcip="$1" userid="$2" password="$3" clientid="$4" clientsecret="$5" tokenendpoint="$6" echo "Obtaining JWT access and ID tokens for user $userid ..." PWGRANT_OUTPUT=$(curl -k --silent --location -u "$clientid:$clientsecret" --request POST "$tokenendpoint" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "grant_type=password" \ --data-urlencode "username=$userid" \ --data-urlencode "password=$password") ACCESS_TOKEN=$(echo $PWGRANT_OUTPUT | jq -r '.access_token') ID_TOKEN=$(echo $PWGRANT_OUTPUT | jq -r '.id_token') echo echo "Access token: $ACCESS_TOKEN" echo echo "ID token: $ID_TOKEN" echo echo "Exchanging JWT tokens for vCenter SAML token ..." TOKEN_EXCHANGE_OUTPUT=$(curl -k --silent --location --request POST "https://$vcip/api/vcenter/authentication/token" \ --header "Content-Type: application/x-www-form-urlencoded" \ --header "Authorization: Bearer $ACCESS_TOKEN" \ --data-urlencode "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \ --data-urlencode "subject_token=$ACCESS_TOKEN" \ --data-urlencode "actor_token_type=urn:ietf:params:oauth:token-type:id_token" \ --data-urlencode "actor_token=$ID_TOKEN" \ --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \ --data-urlencode "requested_token_type=urn:ietf:params:oauth:token-type:saml2") echo echo "$TOKEN_EXCHANGE_OUTPUT" echo SAML_TOKEN=$(echo $TOKEN_EXCHANGE_OUTPUT | jq -r '.access_token') echo "vCenter SAML token: $SAML_TOKEN" echo echo "Establishing vCenter session with SAML token ${SAML_TOKEN::7}..." echo COMP_TOKEN=$(echo $SAML_TOKEN | base64 -d | gzip | base64 -w0) SESSION_OUTPUT=$(curl -k --silent --location --request POST "https://$vcip/api/session" \ --header "Authorization: SIGN token=\"$COMP_TOKEN\"") echo "Create Session Response: $SESSION_OUTPUT" SESSION_ID=$(echo "$SESSION_OUTPUT" | tr -d '"') echo "Tagging categories:" curl -k "https://$vcip/api/cis/tagging/category" --header "vmware-api-session-id: $SESSION_ID" echo echo "Done!"