You can exchange the JWT tokens that you obtained from the authorization server for a vCenter Server SAML token and create an authenticated session.
Prerequisites
- You must have a valid access and ID token (in JWT format) from the authorization server (AD FS or VMware Identity Broker - vCenter Server) for the user or application you want to authenticate.
Procedure
- Send the JWT tokens to vCenter Single Sign-On by using the Token interface of the com.vmware.vcenter.authentication package.
- Create an object of type TokenTypes.IssueSpec with the following modifiers.
| Method |
Value |
| setSubjectTokenType |
urn:ietf:params:oauth:token-type:access_token |
| setSubjectToken |
<ACCESS_TOKEN> |
| setActorTokenType |
urn:ietf:params:oauth:token-type:id_token |
| setActorToken |
<ID_TOKEN> |
| setGrantType |
urn:ietf:params:oauth:grant-type:token-exchange |
| setRequestedTokenType |
urn:ietf:params:oauth:token-type:saml2 |
- Call the issue(TokenTypes.IssueSpec) method
On success,
vCenter Single Sign-On returns a
TokenInfo object containing the SAML token.
- Prepare the SAML token for the API call.
Base-64 decode the SAML token, compress it, and then Base-64 encode it again.
- To obtain a session identifier, call the session.create() method with the SAML token.
On success, the vSphere Automation API returns a session identifier.
- To authenticate, add the session identifier to your security context instance.
