Exchange JWT Tokens for a SAML Token and Obtain a Session Identifier

You can exchange the JWT tokens that you obtained from the authorization server for a
vCenter Server
SAML token and create an authenticated session.
  • You must have a valid access and ID token (in JWT format) from the authorization server (AD FS or
    VMware Identity Broker - vCenter Server
    ) for the user or application you want to authenticate.
  1. Call the service with the JWT token(s) you obtained.
    For example,
    curl --location --request POST 'https://<
    vcenter_server_ip_address_or_fqdn
    >/api/vcenter/authentication/token' \ --header 'Authorization: Bearer <
    ACCESS_TOKEN
    >' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:access_token' \ --data-urlencode "subject_token=<
    ACCESS_TOKEN
    >" \ --data-urlencode "actor_token_type=urn:ietf:params:oauth:token-type:id_token" \ --data-urlencode "actor_token=<
    ID_TOKEN
    >" \ --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \ --data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:saml2'
    On success (code 200),
    vCenter Single Sign-On
    returns an
    Oauth2TokenInfo
    data structure containing the SAML token.
  2. Prepare the SAML token for the API call.
    Base-64 decode the SAML token, compress it, and then Base-64 encode it again.
  3. To obtain a session identifier, call the
    service
    with the SAML token.
    curl --location --request POST 'https://<
    vcenter_server_ip_address_or_fqdn
    >/api/session' \ --header 'Authorization: SIGN token=<
    COMP_TOKEN
    >'
    On success (code 201), the
    vSphere Automation
    endpoint returns a session identifier in the response.
  4. To authenticate, use the session identifier in subsequent API calls to the
    vSphere Automation
    API endpoints.
    For example:
    curl --location --request POST 'https://<
    vcenter_server_ip_address_or_fqdn
    >/api/cis/tagging/category' \ --header 'vmware-api-session-id: <
    session_ID
    >'
You created an authenticated session and now you can access and use the
vSphere Automation
services.
Bash Shell
This Bash script illustrates the use case where you get JWT tokens from the authorization server (AD FS or
VMware Identity Broker - vCenter Server
), exchange them for a
vCenter Server
SAML token, and obtain an authentication session identifier from the
vSphere Automation
endpoint.
This script consists of three parts:
  1. Obtain JWT tokens from the authorization server (AD FS or
    VMware Identity Broker - vCenter Server
    ) by using the OAuth 2.0 Password grant type.
  2. Exchange the JWT tokens for a
    vCenter Server
    SAML token.
  3. Use the SAML token to obtain a session identifier for the
    vSphere Automation
    API.
#!/bin/bash : ' Variable definitions: $vcip = The IP address or FQDN of your vCenter Server. $ACCESS_TOKEN = The access token in JWT format that you received from the authentication server. $ID_TOKEN = The ID token in JWT format that you received from the authentication server. ' if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ] || [ -z "$4" ] || [ -z "$5" ] || [ -z "$6" ]; then echo "Usage: <vc-ip> <pwgrant-userid> <pwgrant-password> <client-id> <client-secret> <token-endpoint>" exit 0 fi vcip="$1" userid="$2" password="$3" clientid="$4" clientsecret="$5" tokenendpoint="$6" echo "Obtaining JWT access and ID tokens for user $userid ..." PWGRANT_OUTPUT=$(curl -k --silent --location -u "$clientid:$clientsecret" --request POST "$tokenendpoint" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "grant_type=password" \ --data-urlencode "username=$userid" \ --data-urlencode "password=$password") ACCESS_TOKEN=$(echo $PWGRANT_OUTPUT | jq -r '.access_token') ID_TOKEN=$(echo $PWGRANT_OUTPUT | jq -r '.id_token') echo echo "Access token: $ACCESS_TOKEN" echo echo "ID token: $ID_TOKEN" echo echo "Exchanging JWT tokens for vCenter SAML token ..." TOKEN_EXCHANGE_OUTPUT=$(curl -k --silent --location --request POST "https://$vcip/api/vcenter/authentication/token" \ --header "Content-Type: application/x-www-form-urlencoded" \ --header "Authorization: Bearer $ACCESS_TOKEN" \ --data-urlencode "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \ --data-urlencode "subject_token=$ACCESS_TOKEN" \ --data-urlencode "actor_token_type=urn:ietf:params:oauth:token-type:id_token" \ --data-urlencode "actor_token=$ID_TOKEN" \ --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \ --data-urlencode "requested_token_type=urn:ietf:params:oauth:token-type:saml2") echo echo "$TOKEN_EXCHANGE_OUTPUT" echo SAML_TOKEN=$(echo $TOKEN_EXCHANGE_OUTPUT | jq -r '.access_token') echo "vCenter SAML token: $SAML_TOKEN" echo echo "Establishing vCenter session with SAML token ${SAML_TOKEN::7}..." echo COMP_TOKEN=$(echo $SAML_TOKEN | base64 -d | gzip | base64 -w0) SESSION_OUTPUT=$(curl -k --silent --location --request POST "https://$vcip/api/session" \ --header "Authorization: SIGN token=\"$COMP_TOKEN\"") echo "Create Session Response: $SESSION_OUTPUT" SESSION_ID=$(echo "$SESSION_OUTPUT" | tr -d '"') echo "Tagging categories:" curl -k "https://$vcip/api/cis/tagging/category" --header "vmware-api-session-id: $SESSION_ID" echo echo "Done!"