Remap a User Between Identity Providers by Using the VMware Cloud Director API

Starting with VMware Cloud Director 10.4.1, you can remap individual users from one identity provider (IDP) to another by using the VMware Cloud Director API.

Important: Do not migrate users to or from the system organization LDAP configuration. The users migrated from the system organization LDAP configuration cannot log in to any organization other than the one doing the migration. For more information, see the Known Issues section in the VMware Cloud Director 10.4.2 release notes.

Note: Starting with version 10.4.1, VMware Cloud Director starts the deprecation process for local users. VMware Cloud Director continues to fully support the use of local users while they are under deprecation. See VMware Cloud Director 10.4.1 Release Notes.

For information about bulk remapping of users between identity providers by using the VMware Cloud Director UI in version 10.4.2, see Remap Users Between Identity Providers in VMware Cloud Director 10.4.2 and Later.

Prerequisites

Verify that your role includes the Group / User: Manage right.
Verify that the organization is configured with the identity provider types that you want to remap between.

Procedure

Make a GET request to /cloudapi/1.0.0/users.

VMware Cloud Director returns a list of the users within the organization.
Locate the user you want to remap, and retrieve the user information.
```
GET /cloudapi/1.0.0/users/{user_id}
```
Make a PUT request to /cloudapi/1.0.0/users/{user_id}.

To remap a user, you must change the providerType field to identify the new IDP. VMware Cloud Director supports the SAML, LDAP, OAUTH, and LOCAL values. Additionally, to match the user name in the IDP that the user is remapping to, you can modify the user name. For VMware Cloud Director to continue to associate the user's assets with the user when they login through the new login flow, the ID of the user must remain unchanged.

Important:
If you are remapping to provider type LDAP, VMware Cloud Director validates the user name with the LDAP server before committing the operation. If VMware Cloud Director does not complete this step for any reason, for example, loss of connectivity to the LDAP server, the remapping fails.

If you are remapping a user to be a local user by specifying provider type LOCAL, similar to the process of creating a user, you must provide a password.
Verify that VMware Cloud Director returns an OK response specifying the newly remapped provider type in the response body.

Example:

To find the user that you want to remap, make the following request.

Request:

GET /cloudapi/1.0.0/users?pageSize=10 HTTP/1.1
Host: 127.0.0.1:8443
Accept: application/json;version=37.1

Sample response:

{
  "resultTotal": 2,
  "pageCount": 1,
  "page": 1,
  "pageSize": 10,
  "associations": null,
  "values": [
    ...,
    {
      "username": "testuser",
      "fullName": "",
      "description": null,
      "id": "urn:vcloud:user:2b038199-0063-4c13-9bba-a3b58d775785",
      "roleEntityRefs": [
        {
          "name": "vApp Author",
          "id": "urn:vcloud:role:85f69506-52a5-3e20-869a-ea18d667e19e"
        }
      ],
      "orgEntityRef": {
        "name": "testorg",
        "id": "urn:vcloud:org:806f0d87-c8b9-47f5-bfbe-3dc73a4c0d14"
      },
      "password": "******",
      "email": "",
      "nameInSource": "testuser",
      "enabled": true,
      "isGroupRole": false,
      "providerType": "LOCAL"
    }
  ]
}

To remap testuser from LOCAL to LDAP, make a PUT request.

Request:

PUT /cloudapi/1.0.0/users/urn:vcloud:user:2b038199-0063-4c13-9bba-a3b58d775785 HTTP/1.1
Host: 127.0.0.1:8443
Accept: application/json;version=37.1
Content-Type: application/json;version=37.1

Body: {
  "username": "testuser",
  "fullName": "",
  "description": null,
  "id": "urn:vcloud:user:2b038199-0063-4c13-9bba-a3b58d775785",
  "roleEntityRefs": [
    {
      "name": "vApp Author",
      "id": "urn:vcloud:role:85f69506-52a5-3e20-869a-ea18d667e19e"
    }
  ],
  "orgEntityRef": {
    "name": "testorg",
    "id": "urn:vcloud:org:806f0d87-c8b9-47f5-bfbe-3dc73a4c0d14"
  },
  "password": "******",
  "email": "",
  "nameInSource": "testuser",
  "enabled": true,
  "isGroupRole": false,
  "providerType": "LDAP"
}

Sample response:

{
  "username": "testuser",
  "fullName": "",
  "description": null,
  "id": "urn:vcloud:user:2b038199-0063-4c13-9bba-a3b58d775785",
  "roleEntityRefs": [
    {
      "name": "vApp Author",
      "id": "urn:vcloud:role:85f69506-52a5-3e20-869a-ea18d667e19e"
    }
  ],
  "orgEntityRef": {
    "name": "testorg",
    "id": "urn:vcloud:org:806f0d87-c8b9-47f5-bfbe-3dc73a4c0d14"
  },
  "password": null,
  "email": "",
  "nameInSource": "\\63\\36\\62\\35\\30\\66\\35\\63\\2D\\61\\62\\30\\35\\2D\\34\\37\\64\\33\\2D\\62\\61\\64\\34\\2D\\39\\32\\64\\35\\32\\37\\30\\36\\62\\39\\39\\33",
  "enabled": true,
  "isGroupRole": false,
  "providerType": "LDAP"
}