Starting with VMware Cloud Director 10.0, you can use separate VMware Cloud Director OpenAPI login endpoints for the service provider and tenant access to VMware Cloud Director.
You can use two new OpenAPI endpoints to increase the security by restricting the access to VMware Cloud Director.
/cloudapi/1.0.0/sessions/provider
- OpenAPI endpoint for the service provider login. Tenants cannot access VMware Cloud Director by using this endpoint./cloudapi/1.0.0/sessions/
- OpenAPI endpoint for the tenant login. Service providers cannot access VMware Cloud Director by using this endpoint.
By default, provider administrators and organization users can access VMware Cloud Director by logging into the /api/sessions
API endpoint.
By using the manage-config
subcommand of the cell management tool, you can deactivate the service provider access to the /api/sessions
API endpoint and, as a result, limit the provider login to the new /cloudapi/1.0.0/sessions/provider
OpenAPI endpoint that is accessible only to service providers.
When you deactivate the service provider access to the /api/sessions
API endpoint, service provider requests that supply only a SAML token in the authorization header will fail for all legacy API endpoints.
Procedure
Results
The /api/sessions
API endpoint is no longer accessible to service providers. Service providers can use the new OpenAPI endpoint /cloudapi/1.0.0/sessions/provider
to access VMware Cloud Director. Tenants can access VMware Cloud Director by using both the /api/sessions
API endpoint and the new /cloudapi/1.0.0/sessions/
OpenAPI endpoint.
What to do next
To enable the provider access to the /api/sessions
API endpoint, run the following command:
/opt/vmware/vcloud-director/bin/cell-management-tool manage-config -n vcloud.api.legacy.nonprovideronly -v false