Federate Apps or Scripts to an External Identity Provider by Using Your
VMware Identity Broker - vCenter Server
Configuration

Configure a client application or script for authentication by using an already existing
vCenter Server
identity provider configuration on
VMware Identity Broker - vCenter Server
.
Okta and Azure AD requirements:
  • You are a customer of Okta or Microsoft and have a dedicated Okta domain space or an Azure AD account.
  • You have identified the Okta or Azure AD users and groups that you want to share with your app.
vCenter Server
and other requirements:
  • vSphere 8.0 Update 1 or later, with the
    VMware Identity Broker - vCenter Server
    activated (they are activated by default).
  • A
    vCenter Server
    that is federated to Okta or Azure AD. (You must know the IP address or the FQDN of the
    vCenter Server
    .)
  • The users and groups from the identity provider are provisioned in your
    vCenter Server
    .
  • You must know the tenant that you want to use for your client app or script. The default tenant that is created during
    vCenter Server
    federation is called
    CUSTOMER
    .
  • You must have the
    VcIdentityProviders
    Manage
    privilege.
You can leverage the identity provider configuration you created for
vCenter Server
for other apps or scripts that you want to federate to Okta or Azure AD.
For this automation scenario you must use services from the
vSphere Automation
API and the
VMware Identity Broker - vCenter Server
API. The
VMware Identity Broker - vCenter Server
API endpoints are located also on your
vCenter Server
but are taxonomically separated from the
vSphere Automation
API endpoints.
  1. Get a session identifier for the
    vSphere Automation
    API.
    For more information see Authentication Mechanisms.
  2. Get a tenant admin client token.
    To authenticate to
    VMware Identity Broker - vCenter Server
    , you must obtain a tenant admin client token by calling the
    get(tenant)
    method of the
    AdminClient
    interface from the
    com.vmware.vcenter.identity.broker.tenants
    package.
    The default
    tenant
    that is created during the
    vCenter Server
    federation is called
    CUSTOMER
    . You can use this tenant for your app or script.
    In the response, you get an access token in JWT format that you use to authenticate to
    VMware Identity Broker - vCenter Server
    .
  3. Create an OAuth 2.0 client for your app.
    To authenticate to the external identity provider, you must create an OAuth 2.0 client for your app on
    VMware Identity Broker - vCenter Server
    . You can do this by using
    the service of the
    VMware Identity Broker - vCenter Server
    API
    .
    For authentication, you must use the tenant admin client token obtained in the previous step.
    Example request:
    curl --location --request POST 'https://<
    vcenter_server_fqdn
    >/acs/t/<
    tenant
    > /broker/oauth2-clients' \ --header 'Content-Type: application/vnd.vmware.horizon.manager.accesscontrol.broker.oauth2client.with.rule.sets+json' \ --header 'Accept: application/vnd.vmware.horizon.manager.accesscontrol.broker.oauth2client.with.rule.sets+json' \ --header 'Authorization: HZN <
    my_admin_client_token
    >' \ --data-raw '{ "client_id": "<
    my_app_client_id
    >", "grant_types": [ "refresh_token", "client_credentials", "password", "authorization_code" ], "scope": [ "email", "profile", "user", "openid", "group" ], "secret": "<
    my_app_client_secret
    >", "redirect_uris": [ "https://<
    my_app_redirect_uri1
    >", "https://<
    my_app_redirect_uri2
    >" ] }'
    On success (status code 201), the operation returns the data about the new OAuth 2.0 client.
Authenticate your app or script to the external identity provider by using the OAuth 2.0 grant types.