Starting with VMware Cloud Director 10.4.1, you can remap individual users from one identity provider (IDP) to another by using the VMware Cloud Director API.

Note: VMware Cloud Director starts the deprecation process for local users. VMware Cloud Director continues to fully support the use of local users while they are under deprecation. See VMware Cloud Director 10.4.1 Release Notes.

For information about bulk remapping of users between identity providers by using the VMware Cloud Director UI, see Remap Users Between Identity Providers Using Your VMware Cloud Director Tenant Portal.

Prerequisites

  • Verify that your role includes the Group / User: Manage right.
  • Verify that the organization is configured with the identity provider types that you want to remap between.

Procedure

  1. Make a GET request to /cloudapi/1.0.0/users.

    VMware Cloud Director returns a list of the users within the organization.

  2. Locate the user you want to remap, and retrieve the user information.
    GET /cloudapi/1.0.0/users/{user_id}
  3. Make a PUT request to /cloudapi/1.0.0/users/{user_id}.

    To remap a user, you must change the providerType field to identify the new IDP. VMware Cloud Director supports the SAML, LDAP, OAUTH, and LOCAL values. Additionally, to match the user name in the IDP that the user is remapping to, you can modify the user name. For VMware Cloud Director to continue to associate the user's assets with the user when they login through the new login flow, the ID of the user must remain unchanged.

    Important:

    If you are remapping to provider type LDAP, VMware Cloud Director validates the user name with the LDAP server before committing the operation. If VMware Cloud Director does not complete this step for any reason, for example, loss of connectivity to the LDAP server, the remapping fails.

    If you are remapping a user to be a local user by specifying provider type LOCAL, similar to the process of creating a user, you must provide a password.

  4. Verify that VMware Cloud Director returns an OK response specifying the newly remapped provider type in the response body.

Example:

To find the user that you want to remap, make the following request.

Request:
GET /cloudapi/1.0.0/users?pageSize=10 HTTP/1.1
Host: 127.0.0.1:8443
Accept: application/json;version=37.1
Sample response:
{
  "resultTotal": 2,
  "pageCount": 1,
  "page": 1,
  "pageSize": 10,
  "associations": null,
  "values": [
    ...,
    {
      "username": "testuser",
      "fullName": "",
      "description": null,
      "id": "urn:vcloud:user:2b038199-0063-4c13-9bba-a3b58d775785",
      "roleEntityRefs": [
        {
          "name": "vApp Author",
          "id": "urn:vcloud:role:85f69506-52a5-3e20-869a-ea18d667e19e"
        }
      ],
      "orgEntityRef": {
        "name": "testorg",
        "id": "urn:vcloud:org:806f0d87-c8b9-47f5-bfbe-3dc73a4c0d14"
      },
      "password": "******",
      "email": "",
      "nameInSource": "testuser",
      "enabled": true,
      "isGroupRole": false,
      "providerType": "LOCAL"
    }
  ]
}

To remap testuser from LOCAL to LDAP, make a PUT request.

Request:
PUT /cloudapi/1.0.0/users/urn:vcloud:user:2b038199-0063-4c13-9bba-a3b58d775785 HTTP/1.1
Host: 127.0.0.1:8443
Accept: application/json;version=37.1
Content-Type: application/json;version=37.1

Body: {
  "username": "testuser",
  "fullName": "",
  "description": null,
  "id": "urn:vcloud:user:2b038199-0063-4c13-9bba-a3b58d775785",
  "roleEntityRefs": [
    {
      "name": "vApp Author",
      "id": "urn:vcloud:role:85f69506-52a5-3e20-869a-ea18d667e19e"
    }
  ],
  "orgEntityRef": {
    "name": "testorg",
    "id": "urn:vcloud:org:806f0d87-c8b9-47f5-bfbe-3dc73a4c0d14"
  },
  "password": "******",
  "email": "",
  "nameInSource": "testuser",
  "enabled": true,
  "isGroupRole": false,
  "providerType": "LDAP"
}
Sample response:
{
  "username": "testuser",
  "fullName": "",
  "description": null,
  "id": "urn:vcloud:user:2b038199-0063-4c13-9bba-a3b58d775785",
  "roleEntityRefs": [
    {
      "name": "vApp Author",
      "id": "urn:vcloud:role:85f69506-52a5-3e20-869a-ea18d667e19e"
    }
  ],
  "orgEntityRef": {
    "name": "testorg",
    "id": "urn:vcloud:org:806f0d87-c8b9-47f5-bfbe-3dc73a4c0d14"
  },
  "password": null,
  "email": "",
  "nameInSource": "\\63\\36\\62\\35\\30\\66\\35\\63\\2D\\61\\62\\30\\35\\2D\\34\\37\\64\\33\\2D\\62\\61\\64\\34\\2D\\39\\32\\64\\35\\32\\37\\30\\36\\62\\39\\39\\33",
  "enabled": true,
  "isGroupRole": false,
  "providerType": "LDAP"
}