Federate Apps or Scripts to an External Identity Provider by Using Your VMware Identity Broker - vCenter
Server Configuration
VMware Identity Broker - vCenter
Server
ConfigurationConfigure a client application or script for authentication by using an already existing
vCenter Server
identity provider
configuration on VMware Identity Broker - vCenter
Server
.Okta and Azure AD requirements:
- You are a customer of Okta or Microsoft and have a dedicated Okta domain space or an Azure AD account.
- You have identified the Okta or Azure AD users and groups that you want to share with your app.
vCenter Server
and other requirements:- vSphere 8.0 Update 1 or later, with theVMware Identity Broker - vCenter Serveractivated (they are activated by default).
- AvCenter Serverthat is federated to Okta or Azure AD. (You must know the IP address or the FQDN of thevCenter Server.)
- The users and groups from the identity provider are provisioned in yourvCenter Server.
- You must know the tenant that you want to use for your client app or script. The default tenant that is created duringvCenter Serverfederation is calledCUSTOMER.
- You must have the privilege.
You can leverage the identity provider configuration you created for
vCenter Server
for other apps or scripts that you want to federate to Okta or Azure AD.For this automation scenario you must use services from the
vSphere
Automation
API and the VMware Identity Broker - vCenter
Server
API. The VMware Identity Broker - vCenter
Server
API endpoints are located also on your vCenter Server
but are taxonomically separated from the vSphere
Automation
API endpoints.- Get a session identifier for thevSphere AutomationAPI.For more information see Authentication Mechanisms.
- Get a tenant admin client token.To authenticate toVMware Identity Broker - vCenter Server, you must obtain a tenant admin client token by calling theget(tenant)method of theAdminClientinterface from thecom.vmware.vcenter.identity.broker.tenantspackage.The defaulttenantthat is created during thevCenter Serverfederation is calledCUSTOMER. You can use this tenant for your app or script.In the response, you get an access token in JWT format that you use to authenticate toVMware Identity Broker - vCenter Server.
- Create an OAuth 2.0 client for your app.To authenticate to the external identity provider, you must create an OAuth 2.0 client for your app onVMware Identity Broker - vCenter Server. You can do this by usingthe service of the.VMware Identity Broker - vCenter ServerAPIFor authentication, you must use the tenant admin client token obtained in the previous step.Example request:curl --location --request POST 'https://<vcenter_server_fqdn>/acs/t/<tenant> /broker/oauth2-clients' \ --header 'Content-Type: application/vnd.vmware.horizon.manager.accesscontrol.broker.oauth2client.with.rule.sets+json' \ --header 'Accept: application/vnd.vmware.horizon.manager.accesscontrol.broker.oauth2client.with.rule.sets+json' \ --header 'Authorization: HZN <my_admin_client_token>' \ --data-raw '{ "client_id": "<my_app_client_id>", "grant_types": [ "refresh_token", "client_credentials", "password", "authorization_code" ], "scope": [ "email", "profile", "user", "openid", "group" ], "secret": "<my_app_client_secret>", "redirect_uris": [ "https://<my_app_redirect_uri1>", "https://<my_app_redirect_uri2>" ] }'On success (status code 201), the operation returns the data about the new OAuth 2.0 client.
Authenticate your app or script to the external
identity provider by using the OAuth 2.0 grant types.