Federate Apps or Scripts to an External Identity Provider by Using Your VMware Identity Broker

Configure a client application or script for authentication by using an already existing vCenter Server identity provider configuration on VMware Identity Broker - vCenter Server .

You can leverage the identity provider configuration you created for vCenter Server for other apps or scripts that you want to federate to Okta or Azure AD.

For this automation scenario you must use services from the vSphere Automation API and the VMware Identity Broker - vCenter Server API. The VMware Identity Broker - vCenter Server API endpoints are located also on your vCenter Server but are taxonomically separated from the vSphere Automation API endpoints.

Prerequisites

Okta and Azure AD requirements:

You are a customer of Okta or Microsoft and have a dedicated Okta domain space or an Azure AD account.
You have identified the Okta or Azure AD users and groups that you want to share with your app.

vCenter Server and other requirements:

vSphere 8.0 Update 1 or later, with the VMware Identity Broker - vCenter Server activated (they are activated by default).
A vCenter Server that is federated to Okta or Azure AD. (You must know the IP address or the FQDN of the vCenter Server.)
The users and groups from the identity provider are provisioned in your vCenter Server.
You must know the tenant that you want to use for your client app or script. The default tenant that is created during vCenter Server federation is called CUSTOMER.
You must have the VcIdentityProviders.Manage privilege.

Procedure

Get a session identifier for the vSphere Automation API.
For more information see Authentication Mechanisms.
Get a tenant admin client token.
To authenticate to VMware Identity Broker - vCenter Server, you must obtain a tenant admin client token by calling the get(tenant) method of the AdminClient interface from the com.vmware.vcenter.identity.broker.tenants package.

The default tenant that is created during the vCenter Server federation is called CUSTOMER. You can use this tenant for your app or script.

In the response, you get an access token in JWT format that you use to authenticate to VMware Identity Broker - vCenter Server.

Create an OAuth 2.0 client for your app.

To authenticate to the external identity provider, you must create an OAuth 2.0 client for your app on VMware Identity Broker - vCenter Server. You can do this by using the Create Broker OAuth 2 Client service of the VMware Identity Broker - vCenter Server API.

For authentication, you must use the tenant admin client token obtained in the previous step.

Example request:

curl --location --request POST 'https://<vcenter_server_fqdn>/acs/t/<tenant>
/broker/oauth2-clients' \
--header 'Content-Type: application/vnd.vmware.horizon.manager.accesscontrol.broker.oauth2client.with.rule.sets+json' \
--header 'Accept: application/vnd.vmware.horizon.manager.accesscontrol.broker.oauth2client.with.rule.sets+json' \
--header 'Authorization: HZN <my_admin_client_token>' \
--data-raw '{
    "client_id": "<my_app_client_id>",
    "grant_types": [
        "refresh_token",
        "client_credentials",
        "password",
        "authorization_code"
    ],
    "scope": [
        "email",
        "profile",
        "user",
        "openid",
        "group"
    ],
    "secret": "<my_app_client_secret>",
    "redirect_uris": [
        "https://<my_app_redirect_uri1>",
        "https://<my_app_redirect_uri2>"
    ]
}'

On success (status code 201), the operation returns the data about the new OAuth 2.0 client.

What to do next

Authenticate your app or script to the external identity provider by using the OAuth 2.0 grant types.