Exchange JWT Tokens for a SAML Token and
Obtain a Session Identifier
You can exchange the JWT tokens that you obtained from the authorization server for a
vCenter
Server
SAML token and create an
authenticated session.- You must have a valid access and ID token (in JWT format) from the authorization server (AD FS orVMware Identity Broker - vCenter Server) for the user or application you want to authenticate.
- Call the service with the JWT token(s) you obtained.For example,curl --location --request POST 'https://<vcenter_server_ip_address_or_fqdn>/api/vcenter/authentication/token' \ --header 'Authorization: Bearer <ACCESS_TOKEN>' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:access_token' \ --data-urlencode "subject_token=<ACCESS_TOKEN>" \ --data-urlencode "actor_token_type=urn:ietf:params:oauth:token-type:id_token" \ --data-urlencode "actor_token=<ID_TOKEN>" \ --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \ --data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:saml2'On success (code 200),vCenter Single Sign-Onreturns anOauth2TokenInfodata structure containing the SAML token.
- Prepare the SAML token for the API call.Base-64 decode the SAML token, compress it, and then Base-64 encode it again.
- To obtain a session identifier, call theservicewith the SAML token.curl --location --request POST 'https://<vcenter_server_ip_address_or_fqdn>/api/session' \ --header 'Authorization: SIGN token=<COMP_TOKEN>'On success (code 201), thevSphere Automationendpoint returns a session identifier in the response.
- To authenticate, use the session identifier in subsequent API calls to thevSphere AutomationAPI endpoints.For example:curl --location --request POST 'https://<vcenter_server_ip_address_or_fqdn>/api/cis/tagging/category' \ --header 'vmware-api-session-id: <session_ID>'
You created an authenticated session and now you can access
and use the
vSphere
Automation
services. - Bash Shell
- This Bash script illustrates the use case where you get JWT tokens from the authorization server (AD FS orVMware Identity Broker - vCenter Server), exchange them for avCenter ServerSAML token, and obtain an authentication session identifier from thevSphere Automationendpoint.This script consists of three parts:
- Obtain JWT tokens from the authorization server (AD FS orVMware Identity Broker - vCenter Server) by using the OAuth 2.0 Password grant type.
- Exchange the JWT tokens for avCenter ServerSAML token.
- Use the SAML token to obtain a session identifier for thevSphere AutomationAPI.
#!/bin/bash : ' Variable definitions: $vcip = The IP address or FQDN of your vCenter Server. $ACCESS_TOKEN = The access token in JWT format that you received from the authentication server. $ID_TOKEN = The ID token in JWT format that you received from the authentication server. ' if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ] || [ -z "$4" ] || [ -z "$5" ] || [ -z "$6" ]; then echo "Usage: <vc-ip> <pwgrant-userid> <pwgrant-password> <client-id> <client-secret> <token-endpoint>" exit 0 fi vcip="$1" userid="$2" password="$3" clientid="$4" clientsecret="$5" tokenendpoint="$6" echo "Obtaining JWT access and ID tokens for user $userid ..." PWGRANT_OUTPUT=$(curl -k --silent --location -u "$clientid:$clientsecret" --request POST "$tokenendpoint" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "grant_type=password" \ --data-urlencode "username=$userid" \ --data-urlencode "password=$password") ACCESS_TOKEN=$(echo $PWGRANT_OUTPUT | jq -r '.access_token') ID_TOKEN=$(echo $PWGRANT_OUTPUT | jq -r '.id_token') echo echo "Access token: $ACCESS_TOKEN" echo echo "ID token: $ID_TOKEN" echo echo "Exchanging JWT tokens for vCenter SAML token ..." TOKEN_EXCHANGE_OUTPUT=$(curl -k --silent --location --request POST "https://$vcip/api/vcenter/authentication/token" \ --header "Content-Type: application/x-www-form-urlencoded" \ --header "Authorization: Bearer $ACCESS_TOKEN" \ --data-urlencode "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \ --data-urlencode "subject_token=$ACCESS_TOKEN" \ --data-urlencode "actor_token_type=urn:ietf:params:oauth:token-type:id_token" \ --data-urlencode "actor_token=$ID_TOKEN" \ --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \ --data-urlencode "requested_token_type=urn:ietf:params:oauth:token-type:saml2") echo echo "$TOKEN_EXCHANGE_OUTPUT" echo SAML_TOKEN=$(echo $TOKEN_EXCHANGE_OUTPUT | jq -r '.access_token') echo "vCenter SAML token: $SAML_TOKEN" echo echo "Establishing vCenter session with SAML token ${SAML_TOKEN::7}..." echo COMP_TOKEN=$(echo $SAML_TOKEN | base64 -d | gzip | base64 -w0) SESSION_OUTPUT=$(curl -k --silent --location --request POST "https://$vcip/api/session" \ --header "Authorization: SIGN token=\"$COMP_TOKEN\"") echo "Create Session Response: $SESSION_OUTPUT" SESSION_ID=$(echo "$SESSION_OUTPUT" | tr -d '"') echo "Tagging categories:" curl -k "https://$vcip/api/cis/tagging/category" --header "vmware-api-session-id: $SESSION_ID" echo echo "Done!"