Exchange JWT Tokens for a SAML Token and
Obtain a Session Identifier
You can exchange the JWT tokens that you obtained from the authorization server for a
vCenter
Server
SAML token and create an
authenticated session.- You must have a valid access and ID token (in JWT format) from the authorization server (AD FS orVMware Identity Broker - vCenter Server) for the user or application you want to authenticate.
- Send the JWT tokens tovCenter Single Sign-Onby using theTokeninterface of thecom.vmware.vcenter.authenticationpackage.
- Create an object of typeTokenTypes.IssueSpecwith the following modifiers.MethodValuesetSubjectTokenTypeurn:ietf:params:oauth:token-type:access_tokensetSubjectToken<ACCESS_TOKEN>setActorTokenTypeurn:ietf:params:oauth:token-type:id_tokensetActorToken<ID_TOKEN>setGrantTypeurn:ietf:params:oauth:grant-type:token-exchangesetRequestedTokenTypeurn:ietf:params:oauth:token-type:saml2
- Call theissue(TokenTypes.IssueSpec)method
On success,vCenter Single Sign-Onreturns aTokenInfoobject containing the SAML token. - Prepare the SAML token for the API call.Base-64 decode the SAML token, compress it, and then Base-64 encode it again.
- To obtain a session identifier, call thewith the SAML token.session.create()methodOn success, thevSphere AutomationAPI returns a session identifier.
- To authenticate, add the session identifier to your security context instance.
You created an authenticated session and now you can access
and use the
vSphere
Automation
services. - Bash Shell
- This Bash script illustrates the use case where you get JWT tokens from the authorization server (AD FS orVMware Identity Broker - vCenter Server), exchange them for avCenter ServerSAML token, and obtain an authentication session identifier from thevSphere Automationendpoint.This script consists of three parts:
- Obtain JWT tokens from the authorization server (AD FS orVMware Identity Broker - vCenter Server) by using the OAuth 2.0 Password grant type.
- Exchange the JWT tokens for avCenter ServerSAML token.
- Use the SAML token to obtain a session identifier for thevSphere AutomationAPI.
#!/bin/bash : ' Variable definitions: $vcip = The IP address or FQDN of your vCenter Server. $ACCESS_TOKEN = The access token in JWT format that you received from the authentication server. $ID_TOKEN = The ID token in JWT format that you received from the authentication server. ' if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ] || [ -z "$4" ] || [ -z "$5" ] || [ -z "$6" ]; then echo "Usage: <vc-ip> <pwgrant-userid> <pwgrant-password> <client-id> <client-secret> <token-endpoint>" exit 0 fi vcip="$1" userid="$2" password="$3" clientid="$4" clientsecret="$5" tokenendpoint="$6" echo "Obtaining JWT access and ID tokens for user $userid ..." PWGRANT_OUTPUT=$(curl -k --silent --location -u "$clientid:$clientsecret" --request POST "$tokenendpoint" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "grant_type=password" \ --data-urlencode "username=$userid" \ --data-urlencode "password=$password") ACCESS_TOKEN=$(echo $PWGRANT_OUTPUT | jq -r '.access_token') ID_TOKEN=$(echo $PWGRANT_OUTPUT | jq -r '.id_token') echo echo "Access token: $ACCESS_TOKEN" echo echo "ID token: $ID_TOKEN" echo echo "Exchanging JWT tokens for vCenter SAML token ..." TOKEN_EXCHANGE_OUTPUT=$(curl -k --silent --location --request POST "https://$vcip/api/vcenter/authentication/token" \ --header "Content-Type: application/x-www-form-urlencoded" \ --header "Authorization: Bearer $ACCESS_TOKEN" \ --data-urlencode "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \ --data-urlencode "subject_token=$ACCESS_TOKEN" \ --data-urlencode "actor_token_type=urn:ietf:params:oauth:token-type:id_token" \ --data-urlencode "actor_token=$ID_TOKEN" \ --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \ --data-urlencode "requested_token_type=urn:ietf:params:oauth:token-type:saml2") echo echo "$TOKEN_EXCHANGE_OUTPUT" echo SAML_TOKEN=$(echo $TOKEN_EXCHANGE_OUTPUT | jq -r '.access_token') echo "vCenter SAML token: $SAML_TOKEN" echo echo "Establishing vCenter session with SAML token ${SAML_TOKEN::7}..." echo COMP_TOKEN=$(echo $SAML_TOKEN | base64 -d | gzip | base64 -w0) SESSION_OUTPUT=$(curl -k --silent --location --request POST "https://$vcip/api/session" \ --header "Authorization: SIGN token=\"$COMP_TOKEN\"") echo "Create Session Response: $SESSION_OUTPUT" SESSION_ID=$(echo "$SESSION_OUTPUT" | tr -d '"') echo "Tagging categories:" curl -k "https://$vcip/api/cis/tagging/category" --header "vmware-api-session-id: $SESSION_ID" echo echo "Done!"