If your vCenter Server is federated to AD FS, you can authenticate with the OAuth 2.0 Password grant type.

You can use the Password grant type to exchange user credentials for an access token and an ID token from the authorization server. From the user's perspective, the password grant type functions exactly as basic authentication with the only difference that you use your AD FS, and not your local vCenter Single Sign-On credentials.

The Password grant type is possible among native apps but is not recommended for authentication to third-party apps. Modern security best practices require that primary user credentials such as passwords do not leave the native API environment. Therefore, it is more secure to use other OAuth 2.0 grant types for authentication to third-party apps.

To use the Password grant type with AD FS, you provide your AD FS user name and password to the Common Infrastructure Services (CIS) Session endpoint.

In the background, the client application calls the authorization server (AD FS) and obtains an access token and an ID token in JWT format. vCenter Single Sign-On converts the JWT tokens into a SAML token which is used to obtain a session identifier and authenticate your application to vCenter Server.

Important: The Password grant type is disallowed by the latest OAuth 2.0 Security Best Current Practice. The Password grant is excluded entirely from OAuth 2.1.

Prerequisites

  • Verify that your vCenter Server is federated to AD FS. For more information, see Federate vCenter Server to Active Directory Federation Services (AD FS).

  • You must have an AD FS account and user credentials with the necessary permissions to view and manage vCenter Server.

  • You must register an OAuth client for your application on the authorization server (AD FS).

Procedure

  1. Call the Session interface with the base-64 encoded value of your AD FS user name and password separated by a colon (username:password) in the authorization header.
    POST https://<vcenter_server_ip_address_or_fqdn>/api/session
    Authorization: Basic <username:password>
    

    On success (status code 201), the system returns an authentication session identifier.

  2. To authenticate subsequent API calls, pass the session identifier as a request header.
    vmware-api-session-id: <session_ID>