Import a User or Group from an OAuth Identity Provider

If your organization defines an OAuth identity provider in its OrgOAuthSettings, users managed by that identity provider are created implicitly when they first log in to the organization. If you want a user or group to exist in the organization before first login, or to assign the user or group a specific role, you can import a user or group from an OAuth identity provider explicitly.

Unlike imports from an LDAP service, imports from an OAuth identity provider do not actually import information from an external database. Instead, the operation creates a mapping between a user or group defined in your organization and a user or group defined by your organization's OAuth provider. The VMware Cloud Director database stores these mappings, but does not store data retrieved from the OAuth provider.

Prerequisites

This operation requires the rights included in the predefined Organization Administrator role or an equivalent set of rights. Verify that you are logged in to the vCloud Air Compute Service as an Account Administrator.
Verify that your organization has defined an OAuth identity provider in its OrgOAuthSettings.

Procedure

Create a User or Group element that identifies a user defined by your organization's OAuth provider.
Include the following line in the User or Group element.
```
<ProviderType>OAUTH</ProviderType>
```
POST the element to the organization's users URL.

Example: Import a User from an OAuth Identity Provider

This example imports a user from an OAuth identity provider and assigns the user the Defer to Identity Provider role. See Predefined VMware Cloud Director Roles and Their Rights.

Request:

POST https://vcloud.example.com/api/admin/org/26/users
Content-Type: application/vnd.vmware.admin.user+xml
...
<?xml version="1.0" encoding="UTF-8"?>
<User
   xmlns="http://www.vmware.com/vcloud/v1.5"
   name="[email protected]"
   type="application/vnd.vmware.admin.user+xml">
   <IsEnabled>true</IsEnabled>
   <ProviderType>OAUTH</ProviderType>
   <Role
      href="https://vcloud.example.com/api/admin/org/26/role/d26caa7b-d8b2-395b-9615-4cd1903a65c1" />
</User>

The response is a User element, most of which is not shown in the example. The response includes a link that an administrator can use to edit user metadata, and additional elements, such as IsDefaultCached and StoredVmQuota, inherited from organization defaults. It also includes a NameInSource element, which contains the user's name in the encoding used by the identity provider.

Response:

201 Created
Content-Type: application/vnd.vmware.admin.user+xml
...
<User
   xmlns="http://www.vmware.com/vcloud/v1.5"
   name="[email protected]"
   id="urn:vcloud:user:85"
   type="application/vnd.vmware.admin.user+xml"
   href="https://vcloud.example.com/api/admin/user/85">
   <Link
      rel="edit"
      type="application/vnd.vmware.admin.user+xml"
      href="https://vcloud.example.com/api/admin/user/85" />
   <FullName>Imported User Full Name</FullName>
   <EmailAddress>[email protected]</EmailAddress>
   <IsEnabled>true</IsEnabled>
   <ProviderType>OAUTH</ProviderType>
   <NameInSource>\F4\D3\42\8E\6A\BC\D3</NameInSource>
   <IsAlertEnabled>false</IsAlertEnabled>
   <IsDefaultCached>false</IsDefaultCached>
   <StoredVmQuota>0</StoredVmQuota>
   <DeployedVmQuota>0</DeployedVmQuota>
   <Role
      type="application/vnd.vmware.admin.role+xml"
      name="Defer to Identity Provider"
      href="https://vcloud.example.com/api/admin/org/26/role/d26caa7b-d8b2-395b-9615-4cd1903a65c1" />
   <GroupReferences />
</User>