Identity Providers APIs
APIs for managing Identity Providers
Table of Contents
1. Get all Identity Providers
- This API is used to get a list of all Identity Providers
Tip : Please refer to IdentityProvider.
1.1. Prerequisites
None
When ADFS is configured
1.2. Steps
- Invoke the API.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers' -i -X GET \
-H 'Authorization: Bearer etYWRta....'
HTTP Request
GET /v1/identity-providers HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
HTTP Response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 1682
{
"elements" : [ {
"id" : "87a71ff5-bf6d-4967-a3f7-a0f6f4ad993b",
"name" : "Embedded IDP",
"type" : "Embedded",
"identitySources" : [ {
"name" : "vsphere.local",
"type" : "SystemDomain",
"domainNames" : [ "vsphere.local" ]
}, {
"name" : "localos",
"type" : "LocalOs",
"domainNames" : [ "localos" ]
}, {
"name" : "embedded-ids-name",
"type" : "ActiveDirectory",
"domainNames" : [ "embedded-ids.com" ],
"ldap" : {
"type" : "ActiveDirectory",
"domainName" : "embedded-ids.com",
"domainAlias" : "embedded-ids",
"username" : "[email protected]",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
}
} ],
"status" : "inactive"
}, {
"id" : "73c6ce84-63fc-41e7-b4f4-0b755f81a2dc",
"name" : "My AD Identity Source",
"type" : "Microsoft ADFS",
"domainNames" : [ "external-idp.com" ],
"ldap" : {
"type" : "Oidc",
"domainName" : "external-idp.com",
"domainAlias" : "external-idp",
"username" : "[email protected]",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
},
"oidc" : {
"clientId" : "c05d30b7-d196-4cce-8716-711facfb11e9",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
},
"status" : "active"
} ]
}
When OKTA is configured
1.3. Steps
- Invoke the API.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers' -i -X GET \
-H 'Authorization: Bearer etYWRta....'
HTTP Request
GET /v1/identity-providers HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
HTTP Response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 1705
{
"elements" : [ {
"id" : "a24dfa50-7c3e-4b65-848c-34943b09781e",
"name" : "Embedded IDP",
"type" : "Embedded",
"identitySources" : [ {
"name" : "vsphere.local",
"type" : "SystemDomain",
"domainNames" : [ "vsphere.local" ]
}, {
"name" : "localos",
"type" : "LocalOs",
"domainNames" : [ "localos" ]
}, {
"name" : "embedded-ids-name",
"type" : "ActiveDirectory",
"domainNames" : [ "embedded-ids.com" ],
"ldap" : {
"type" : "ActiveDirectory",
"domainName" : "embedded-ids.com",
"domainAlias" : "embedded-ids",
"username" : "[email protected]",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
}
} ],
"status" : "inactive"
}, {
"id" : "4a5a9589-cec1-4e12-915c-fb76009d5390",
"name" : "Okta",
"type" : "FEDERATED_IDP_BROKER",
"status" : "active",
"fedIdp" : {
"name" : "Okta",
"source" : "OKTA",
"directoryList" : {
"name" : "OktaDirectory",
"defaultDomain" : "external-okta-idp.com",
"domains" : [ "external-okta-idp.com" ]
},
"oidcInfo" : {
"clientId" : "52b5c37d-085b-4b42-9ccc-a583be71b157",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
},
"syncClientTokenTTL" : 263000,
"syncClientTokenInfo" : {
"expireAt" : "2025-03-21T09:42:53.445Z",
"scimUrl" : "https://domain.com/usergroup/t/CUSTOMER/scim/v2"
}
}
} ]
}
1.4. Related APIs
[_getidentityproviders] API [_getidentityproviderbyid] API
2. Get Identity Provider
Retrieve detailed information of the specified identity provider.
2.1. Prerequisites
The following data is required
- Identifier of the provider
2.2. Steps
- Invoke the API.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/662a69a0-3d39-4489-988a-ae2fe6923d18' -i -X GET \
-H 'Authorization: Bearer etYWRta....'
HTTP Request
GET /v1/identity-providers/662a69a0-3d39-4489-988a-ae2fe6923d18 HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
HTTP Response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 684
{
"id" : "662a69a0-3d39-4489-988a-ae2fe6923d18",
"name" : "My AD Identity Source",
"type" : "Microsoft ADFS",
"domainNames" : [ "external-idp.com" ],
"ldap" : {
"type" : "Oidc",
"domainName" : "external-idp.com",
"domainAlias" : "external-idp",
"username" : "[email protected]",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
},
"oidc" : {
"clientId" : "baae64a0-8ed1-46c5-a413-8e7d89e30928",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
},
"status" : "active"
}
2.3. Related APIs
[_getidentityproviders] API
3. Add an embedded Identity Source
3.1. Prerequisites
The following data is required
- Identifier of the embedded Identity Provider
Tip : Please refer to IdentitySourceSpec.
3.2. Steps
- Fetch the ID for the embedded identity provider from the list Identity Providers Response.
Tip : Refer to Get all Identity Providers |
- Invoke the API to add an embedded identity source.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/bc523e77-ade7-4048-8150-f0286b0d958b/identity-sources' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"name" : "My AD Identity Source",
"ldap" : {
"type" : "ActiveDirectory",
"domainName" : "embedded-ids.com",
"domainAlias" : "embedded-ids",
"username" : "[email protected]",
"password" : "xxxxxxxxx",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
}
}'
HTTP Request
POST /v1/identity-providers/bc523e77-ade7-4048-8150-f0286b0d958b/identity-sources HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 452
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"name" : "My AD Identity Source",
"ldap" : {
"type" : "ActiveDirectory",
"domainName" : "embedded-ids.com",
"domainAlias" : "embedded-ids",
"username" : "[email protected]",
"password" : "xxxxxxxxx",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
}
}
HTTP Response
HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 68
Added Identity source with domain name embedded-ids.com successfully
3.3. Related APIs
[_getidentityproviders] API [_getidentityproviderbyid] API [_addembeddedidentitysource] API [_updateembeddedidentitysource] API [_deleteidentitysource] API
4. Update an embedded Identity Source
4.1. Prerequisites
The following data is required
Identifier of the embedded Identity Provider
The domain name associated with the identity source
Tip : Please refer to IdentitySourceSpec.
4.2. Steps
- Fetch the ID for the embedded identity provider and the domain name associated with the identity source from the list Identity Providers Response.
Tip : Refer to Get all Identity Providers |
- Invoke the API to delete an embedded identity source.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
Note : Please note that the domainName and domainAlias fields cannot be modified |
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/d6df1ee0-4c28-4b18-af6d-1b0e15ea9aa2/identity-sources/embedded-ids.com' -i -X PATCH \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"name" : "My AD Identity Source",
"ldap" : {
"type" : "ActiveDirectory",
"domainName" : "embedded-ids.com",
"domainAlias" : "embedded-ids",
"username" : "[email protected]",
"password" : "xxxxxxxxx",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
}
}'
HTTP Request
PATCH /v1/identity-providers/d6df1ee0-4c28-4b18-af6d-1b0e15ea9aa2/identity-sources/embedded-ids.com HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 452
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"name" : "My AD Identity Source",
"ldap" : {
"type" : "ActiveDirectory",
"domainName" : "embedded-ids.com",
"domainAlias" : "embedded-ids",
"username" : "[email protected]",
"password" : "xxxxxxxxx",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
}
}
HTTP Response
HTTP/1.1 204 No Content
4.3. Related APIs
[_getidentityproviders] API [_getidentityproviderbyid] API Add an embedded Identity Source [_addembeddedidentitysource] API [_deleteidentitysource] API
5. Delete an embedded Identity Source
5.1. Prerequisites
The following data is required
Identifier of the embedded Identity Provider
The domain name associated with the identity source
5.2. Steps
- Fetch the ID for the embedded identity provider and the domain name associated with the identity source from the list Identity Providers Response.
Tip : Refer to Get all Identity Providers |
- Invoke the API to delete an embedded identity source.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/10c4975a-27b5-4a63-b619-b91af8b0563b/identity-sources/embedded-ids.com' -i -X DELETE \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....'
HTTP Request
DELETE /v1/identity-providers/10c4975a-27b5-4a63-b619-b91af8b0563b/identity-sources/embedded-ids.com HTTP/1.1
Content-Type: application/json
Accept: application/json
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
HTTP Response
HTTP/1.1 204 No Content
5.3. Related APIs
[_getidentityproviders] API [_getidentityproviderbyid] API [_addembeddedidentitysource] API [_updateembeddedidentitysource] API
6. Add an external Identity Provider
6.1. Prerequisites
The following data is needed:
- Identity Provider Spec details
Tip : Please refer to IdentityProviderSpec.
Configure ADFS
6.2. Steps
- Invoke the API to add an external identity provider.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"name" : "My ADFS",
"type" : "AD_FS",
"certChain" : [ ],
"ldap" : {
"domainName" : "external-idp.com",
"domainAlias" : "external-idp",
"username" : "[email protected]",
"password" : "xxxxxxxxx",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
},
"oidc" : {
"clientId" : "c372a007-e546-4ffe-bd7d-6f0fef224985",
"clientSecret" : "492fd130-c1ec-442b-86cf-d6cba719d56e",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}'
HTTP Request
POST /v1/identity-providers HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 663
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"name" : "My ADFS",
"type" : "AD_FS",
"certChain" : [ ],
"ldap" : {
"domainName" : "external-idp.com",
"domainAlias" : "external-idp",
"username" : "[email protected]",
"password" : "xxxxxxxxx",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
},
"oidc" : {
"clientId" : "c372a007-e546-4ffe-bd7d-6f0fef224985",
"clientSecret" : "492fd130-c1ec-442b-86cf-d6cba719d56e",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
HTTP Response
HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 36
f6eeac21-6e4b-4a0a-8a12-10e2181efe40
Configure OKTA
6.3. Steps
- Invoke the precheck API
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-broker/prechecks?type=OKTA' -i -X GET \
-H 'Authorization: Bearer etYWRta....'
HTTP Request
GET /v1/identity-broker/prechecks?type=OKTA HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
HTTP Response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 26
{
"status" : "SUCCESS"
}
- If the status from the above API is "SUCCESS", invoke the following API to configure OKTA as an external identity provider.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "okta",
"directory" : {
"name" : "okta_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "OKTA"
},
"oidcSpec" : {
"clientId" : "b23dbe05-c3da-4c05-b1ac-5366ef03a803",
"clientSecret" : "c6a54305-d3ab-48da-b835-527969a5854e",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
}'
HTTP Request
POST /v1/identity-providers HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 496
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "okta",
"directory" : {
"name" : "okta_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "OKTA"
},
"oidcSpec" : {
"clientId" : "b23dbe05-c3da-4c05-b1ac-5366ef03a803",
"clientSecret" : "c6a54305-d3ab-48da-b835-527969a5854e",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
}
HTTP Response
HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 36
5b28b137-abcd-4ee2-9e13-d2a6591d1dd8
Configure Microsoft Entra ID
6.4. Steps
- Invoke the precheck API
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-broker/prechecks?type=MICROSOFT_ENTRA_ID' -i -X GET \
-H 'Authorization: Bearer etYWRta....'
HTTP Request
GET /v1/identity-broker/prechecks?type=MICROSOFT_ENTRA_ID HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
HTTP Response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 26
{
"status" : "SUCCESS"
}
- If the status from the above API is "SUCCESS", invoke the following API to configure Microsoft Entra ID as an external identity provider.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "Entra ID",
"directory" : {
"name" : "entra_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "MICROSOFT_ENTRA_ID"
},
"oidcSpec" : {
"clientId" : "52541093-e1cf-4886-bf4d-b1036e1c0fc7",
"clientSecret" : "8ee1841f-0c3f-4aa1-8df0-740e51ce59bd",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
}'
HTTP Request
POST /v1/identity-providers HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 515
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "Entra ID",
"directory" : {
"name" : "entra_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "MICROSOFT_ENTRA_ID"
},
"oidcSpec" : {
"clientId" : "52541093-e1cf-4886-bf4d-b1036e1c0fc7",
"clientSecret" : "8ee1841f-0c3f-4aa1-8df0-740e51ce59bd",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
}
HTTP Response
HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 36
b67eb61d-44f7-48ab-b1de-d09897a78eee
Note : Please note that the sync client token TTL needs to be configured while generating the sync client token (Please refer to [_generatesyncclienttoken] API) Setting this parameter while configuring an Okta/Entra Identity Providers has been deprecated |
6.5. Related APIs
[_getidentityproviders] API [_getidentityproviderbyid] API [_updateexternalidentityprovider] API [_deleteexternalidentityprovider] API [_getidentityprecheckresult] API
7. Update an external Identity Provider
7.1. Prerequisites
The following data is required
- Identifier of the external Identity Provider
Tip : Please refer to IdentityProviderSpec.
When ADFS is configured
7.2. Steps
- Invoke the API to update an external identity provider.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/1aa48d53-a31a-48dc-9eed-4629f49e3bdc' -i -X PATCH \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"name" : "My ADFS",
"type" : "AD_FS",
"certChain" : [ ],
"ldap" : {
"domainName" : "external-idp.com",
"domainAlias" : "external-idp",
"username" : "[email protected]",
"password" : "xxxxxxxxx",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
},
"oidc" : {
"clientId" : "3e96fa7d-ffa0-4ad6-b87b-9280c020ff72",
"clientSecret" : "261d67c3-f884-426f-ba9f-eb1e8945119d",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}'
HTTP Request
PATCH /v1/identity-providers/1aa48d53-a31a-48dc-9eed-4629f49e3bdc HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 663
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"name" : "My ADFS",
"type" : "AD_FS",
"certChain" : [ ],
"ldap" : {
"domainName" : "external-idp.com",
"domainAlias" : "external-idp",
"username" : "[email protected]",
"password" : "xxxxxxxxx",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
},
"oidc" : {
"clientId" : "3e96fa7d-ffa0-4ad6-b87b-9280c020ff72",
"clientSecret" : "261d67c3-f884-426f-ba9f-eb1e8945119d",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
HTTP Response
HTTP/1.1 204 No Content
When OKTA is configured
7.3. Steps
- Invoke the API to update an external identity provider.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/43f36743-9483-441d-bf68-87105a968855' -i -X PATCH \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "okta",
"directory" : {
"name" : "okta_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "OKTA"
},
"oidcSpec" : {
"clientId" : "af57d3ab-a0a6-40f8-89d7-e02d49052d2e",
"clientSecret" : "6196f11a-a3ee-42b9-89d7-7c4b4d25d93e",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
}'
HTTP Request
PATCH /v1/identity-providers/43f36743-9483-441d-bf68-87105a968855 HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 496
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "okta",
"directory" : {
"name" : "okta_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "OKTA"
},
"oidcSpec" : {
"clientId" : "af57d3ab-a0a6-40f8-89d7-e02d49052d2e",
"clientSecret" : "6196f11a-a3ee-42b9-89d7-7c4b4d25d93e",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
}
HTTP Response
HTTP/1.1 204 No Content
When Microsoft Entra ID is configured
7.4. Steps
- Invoke the API to update an external identity provider.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/885fae2b-c59c-4821-acb9-fb9773db7379' -i -X PATCH \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "Entra ID",
"directory" : {
"name" : "entra_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "MICROSOFT_ENTRA_ID"
},
"oidcSpec" : {
"clientId" : "e2a84b35-febc-4630-a0bd-db0be0454329",
"clientSecret" : "7210b920-ed45-45c7-ad3f-c2822035d3d9",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
}'
HTTP Request
PATCH /v1/identity-providers/885fae2b-c59c-4821-acb9-fb9773db7379 HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 515
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "Entra ID",
"directory" : {
"name" : "entra_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "MICROSOFT_ENTRA_ID"
},
"oidcSpec" : {
"clientId" : "e2a84b35-febc-4630-a0bd-db0be0454329",
"clientSecret" : "7210b920-ed45-45c7-ad3f-c2822035d3d9",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
}
HTTP Response
HTTP/1.1 204 No Content
Note : Please note that the sync client token TTL needs to be configured while generating the sync client token (Please refer to [_generatesyncclienttoken] API) Setting this parameter while configuring an Okta/Entra Identity Providers has been deprecated |
7.5. Related APIs
[_getidentityproviders] API [_getidentityproviderbyid] API [_addexternalidentityprovider] API [_deleteexternalidentityprovider] API
8. Delete an external Identity Provider
8.1. Prerequisites
The following data is required
- Identifier of the external Identity Provider
8.2. Steps
- Invoke the API to delete an external identity provider.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/408f8671-cf80-43cb-b7f1-ccdf82a6fbf6' -i -X DELETE \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....'
HTTP Request
DELETE /v1/identity-providers/408f8671-cf80-43cb-b7f1-ccdf82a6fbf6 HTTP/1.1
Content-Type: application/json
Accept: application/json
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
HTTP Response
HTTP/1.1 204 No Content
8.3. Related APIs
[_getidentityproviders] API [_getidentityproviderbyid] API [_addexternalidentityprovider] API [_updateexternalidentityprovider] API
9. Generate sync client token
The sync client token is used by the IDP administrator to push users and groups into the WS1B. Only the users / groups synced to the vCenter/WS1B can login to VCF. Please refer to https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-authentication/GUID-88933505-9299-49FB-9C30-56E43683099B.html and https://kb.vmware.com/s/article/90835 for more information.
9.1. Prerequisites
The following data is required
Identifier of the external Identity Provider
Sync client token TTL
9.2. Steps
- Fetch the ID for the external identity provider from the list Identity Providers Response.
Tip : Refer to Get all Identity Providers |
- Invoke the API to generate the sync client token.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/c5c81d42-d05e-454a-bb29-4f6595c57438/sync-client?syncClientTokenTTL=263000' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....'
HTTP Request
POST /v1/identity-providers/c5c81d42-d05e-454a-bb29-4f6595c57438/sync-client?syncClientTokenTTL=263000 HTTP/1.1
Content-Type: application/json
Accept: application/json
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
HTTP Response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 1370
{
"expireIn" : 1742550173,
"token" : "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJleHAiOjE3MTM2AAzMjksImlhdCI6MTY4MzU4MDMyOSwic3ViIjoiZDZjYjEyN2EtN2Q3Yi00NDRhLTg1MWUtODI1Mjk3YjA2OTQyIiwiYXV0aF90aW1lIjoxNjgzNTgwMzI5LCJzY3AiOiJhZG1pbiIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTAxMTQvU0FBUy9hdXRoL29hdXRodG9rZW4iLCJhenAiOiJzeW5jQ2xpZW50SWQzSVlRaFdwVlNaNVRkUDloZFdoaHZvZmJud3NSczhDUSIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTAxMTQvYWNzLyIsInJ1bGVzIjp7ImV4cGlyeSI6MTY4MzU4MjEyOSwibGluayI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTAxMTQvYWNzL3J1bGVzL21lIiwicnVsZXMiOlt7InJlc291cmNlcyI6WyJ2cm46dWc6KiJdLCJhY3Rpb25zIjpbInVnOioiXSwiY29uZGl0aW9ucyI6bnVsbCwiYWR2aWNlIjpudWxsfV19LCJwaWQiOiI0ODNmZmY1Yy1iYjg1LTQ2MTgtOWVmMi01MWYwZWFiYjBjMzMiLCJwcm5fdHlwZSI6IlNFUlZJQ0UiLCJwcm4iOiJzeW5jQ2xpZW50SWQzSVlRaFdwVlNaNVRkUDloZFdoaHZvZmJud3NSczhDUUBDVVNUT01FUiIsImp0aSI6IjQ4M2ZmZjVjLWJiODUtNDYxOC05ZWYyLTUxZjBlYWJiMGMzMyIsImNpZCI6InN5bmNDbGllbnRJZDNJWVFoV3BWU1o1VGRQOWhkV2hodm9mYm53c1JzOENRIn0.OiZ6nHiFy9hTuU09fT2BUGzbD3XWH-XBoAOCFG3sC8-Pk2FXAn4oZ5fQ9zJHRMDTapAbhfzOF7hCgQ2klhIk_RAnuneey3pUJKotB-DoExU6v6DS3-4C1YBhvMYqezytfE0zcw--ZZbJxFjCwHMIHCf-t6LPLBoEpRZbhB5ZewscYACI0hYcSpseU2hWD9cSkCJr8w7j1zWowIQ1KJxkfdoTdjLuAIH_vesKVcSXirsuOeDiPng93Rx-umMyCzQ8-og64JK1C3XdzdfTsN1-gporUclgawcgFlZgyQFkeL0h8B6j61MzUYHBvwBU_a6jm97BUjSBeu86ipk39o29Og",
"scimUrl" : "https://sfo01-m01-vc01.rainpole.io/usergroup/t/tenantType/scim/v2"
}
Note : Please note that the sync client token TTL needs to be passed as a query parameter to the API. Setting this parameter while configuring an Okta/Entra Identity Providers has been deprecated (Please refer to [_addexternalidentityprovider] API) |
9.3. Related APIs
[_getidentityproviders] API
[_getidentityproviderbyid] API
[_generatesyncclienttoken] API
Last updated 2025-03-21 15:13:04 +0530