This Bash script illustrates the use case where you get JWT tokens from the authorization server (AD FS or VMware Identity Services), exchange them for a vCenter Server SAML token, and obtain an authentication session identifier from the vSphere Automation endpoint.

This script consists of three parts:
  1. Obtain JWT tokens from the authorization server (AD FS or VMware Identity Services) by using the OAuth 2.0 Password grant type.
  2. Exchange the JWT tokens for a vCenter Server SAML token.
  3. Use the SAML token to obtain a session identifier for the vSphere Automation API.
#!/bin/bash

: '
Variable definitions:
$vcip = The IP address or FQDN of your vCenter Server.
$ACCESS_TOKEN = The access token in JWT format that you received from the authentication server.
$ID_TOKEN = The ID token in JWT format that you received from the authentication server.
'
if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ] || [ -z "$4" ] || [ -z "$5" ] || [ -z "$6" ]; then
  echo "Usage: <vc-ip> <pwgrant-userid> <pwgrant-password> <client-id> <client-secret> <token-endpoint>"
  exit 0
fi

vcip="$1"
userid="$2"
password="$3"
clientid="$4"
clientsecret="$5"
tokenendpoint="$6"

echo "Obtaining JWT access and ID tokens for user $userid ..."

PWGRANT_OUTPUT=$(curl -k --silent --location -u "$clientid:$clientsecret" --request POST "$tokenendpoint" \
  --header "Content-Type: application/x-www-form-urlencoded" \
  --data-urlencode "grant_type=password" \
  --data-urlencode "username=$userid" \
  --data-urlencode "password=$password")
ACCESS_TOKEN=$(echo $PWGRANT_OUTPUT | jq -r '.access_token')
ID_TOKEN=$(echo $PWGRANT_OUTPUT | jq -r '.id_token')

echo
echo "Access token: $ACCESS_TOKEN"
echo
echo "ID token: $ID_TOKEN"
echo

echo "Exchanging JWT tokens for vCenter SAML token ..."

TOKEN_EXCHANGE_OUTPUT=$(curl -k --silent --location --request POST "https://$vcip/api/vcenter/authentication/token" \
  --header "Content-Type: application/x-www-form-urlencoded" \
  --header "Authorization: Bearer $ACCESS_TOKEN" \
  --data-urlencode "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
  --data-urlencode "subject_token=$ACCESS_TOKEN" \
  --data-urlencode "actor_token_type=urn:ietf:params:oauth:token-type:id_token" \
  --data-urlencode "actor_token=$ID_TOKEN" \
  --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
  --data-urlencode "requested_token_type=urn:ietf:params:oauth:token-type:saml2")

echo
echo "$TOKEN_EXCHANGE_OUTPUT"
echo

SAML_TOKEN=$(echo $TOKEN_EXCHANGE_OUTPUT | jq -r '.access_token')

echo "vCenter SAML token: $SAML_TOKEN"
echo

echo "Establishing vCenter session with SAML token ${SAML_TOKEN::7}..."
echo
COMP_TOKEN=$(echo $SAML_TOKEN | base64 -d | gzip | base64 -w0)

SESSION_OUTPUT=$(curl -k --silent --location --request POST "https://$vcip/api/session" \
  --header "Authorization: SIGN token=\"$COMP_TOKEN\"")

echo "Create Session Response: $SESSION_OUTPUT"

SESSION_ID=$(echo "$SESSION_OUTPUT" | tr -d '"')

echo "Tagging categories:"
curl -k "https://$vcip/api/cis/tagging/category" --header "vmware-api-session-id: $SESSION_ID"

echo
echo "Done!"