Authentication Flow

Integration with VMware Cloud Director is implemented through the OAuth 2.0 OIDC authorization code flow standard. For detailed information, see Authentication using the Authorization Code Flow.

When a relying party redirects a user to VMware Cloud Director, if there is no existing client session, the user is prompted to log in to VMware Cloud Director by first identifying the organization or provider portal they wish to log into. The user authenticates through the configured authentication mechanism, which may involve further redirections to external identity providers. If the user's browser detects an existing VMware Cloud Director user session, the authentication flow provides an SSO experience and no user interaction is required for reauthentication. Upon successful completion of the process, VMware Cloud Director returns an access token and an ID token. The authorization code that is issued as part of the flow is valid for 5 minutes. The access token is valid for 5 minutes, and the ID token is valid for an hour.

You cannot use the access token that VMware Cloud Director returns upon successful authentication for accessing the UI portals or for making regular VMware Cloud Director API calls.

ID Token Details

The ID token that VMware Cloud Director returns contains the following OpenID standard claims and VMware Cloud Director specific claims.

Claim	Description
at_hash	(OpenID standard claim) Access token hash value.
sub	(OpenID standard claim) The userId in VMware Cloud Directorin UUID format.
iss	(OpenID standard claim) Public address of VMware Cloud Director.
preferred_username	(OpenID standard claim) User name of the user in VMware Cloud Director
nonce	(OpenID standard claim) String value used to associate a client session with an ID token, and to mitigate replay attacks. Only present if it was initially included in the relying party request.
aud	(OpenID standard claim) The audience for this token. The value is the client ID of requesting relying party.
azp	(OpenID standard claim) Authorized party for the token. The value is the client ID of the relying party. Its value is same as the aud claim.
name	(OpenID standard claim) Full name of the user, if known to VMware Cloud Director.
phone_number	(OpenID standard claim) Phone number of the user, if known to VMware Cloud Director.
exp	(OpenID standard claim) Expiration time. Time after which the ID token is not accepted for processing.
iat	(OpenID standard claim) Time at which the ID token was issued.
email	(OpenID standard claim) Email address of the user, if known to VMware Cloud Director.
roles	(VMware Cloud Director custom claim) An array of the names of the roles the user has in VMware Cloud Director.
groups	(VMware Cloud Director custom claim) An array of the names of the groups in which the user belongs in VMware Cloud Director.
org_name	(VMware Cloud Director custom claim) Name of the organization in which the user is logged in.
org_display_name	(VMware Cloud Director custom claim) Display name of the organization.
org_id	(VMware Cloud Director custom claim) The organization ID in UUID format.

OpenID Request Scopes

The scope of the OpenID request is used to specify the privileges requested for an access token.

Scope Values	Description.
openid	Required. OpenID standard scope.
profile	OpenID standard scope. Requests access to the end-user default profile claims.
email	OpenID standard scope. Requests access to the end-user email address claims.
groups	OpenID standard scope. Requests access to the groups that the user is part of in VMware Cloud Director.
phone	OpenID standard scope. Requests access to the user phone number claim.
vcd_idp	VMware Cloud Director specific scope. Requests access to VMware Cloud Directorcustom claims, such as roles, groups, org_name, org_display_name, and org_id.

Endpoints

• You can use the access token returned by VMware Cloud Director to retrieve claims about the authenticated user at the hostname/oidc/UserInfo endpoint. For details, see UserInfo Endpoint.

• You can retrieve the provider configuration values, including the JWKS endpoint and information about other endpoints and scopes necessary for the OIDC proxy configuration at the well-known configuration URL hostname/oidc/.well-known/openid-configuration. See View the OIDC Proxy General Settings in Your VMware Cloud Director.

Token Exchange Access to VMware Cloud Director Identity Provider Proxy

Programmatic integration with the identity provider proxy functionality of VMware Cloud Director is available through the token exchange flow that is detailed below. This flow does not involve the VMware Cloud Director UI and is suitable for scripted access, such as CLI.

1. Obtain a VMware Cloud Director JWT by either directly logging in or by using an API token.

2. Run a POST request.

   POST  hostname/oidc/oauth2/token

   1. Select x-www-form-urlencoded for the body of the request.

   2. Include the following parameters in the body of the request.

      {
           "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
           "assertion": "VMware_Cloud_Director JWT",
           "client_id": "Relying_party_ID",
           "scope": "openid profile email phone groups vcd_idp",
         }

3. The response returns both an ID token that includes the OIDC and VMware Cloud Director claims, and an access token that you can use to retrieve claims about the authenticated user at the hostname/oidc/UserInfo endpoint.

Multisite Considerations

In a multisite deployment, each site functions as a single identity provider server.

Paired sites do not provide federated identity server support. This means that if during the login process a tenant that does not belong to the site that functions as their identity provider proxy attempts to login to it through the organization selection of another site of the multisite deployment, login fails.